[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#931376: debian-security-support: mention nodejs is not for untrusted content

On Thu, Feb 20, 2020 at 04:40:39PM +0100, Sylvain Beucler wrote:
> I see nodejs was added to "security-support-limited", then removed again
> because it is supported in buster.

yes, because at first it referred to the situation in stretch, now it refers
to buster.
> However there is no information about whether we support this package in
> jessie (and soon stretch).

the debian security team considered nodejs unsupportable in stretch because:

- the version was really old
- nodejs used not to have LTS releases and was very fast moving, only recently 
  upstreams supports older releases
- the modules are also unsupportable, so all issues there are still marked no-dsa.

> Also nodejs was recently added to dla-needed.txt.

that "just" means it has issues, not that those issues are fixable with reasonable effords/

> Does LTS provide updates for nodejs/nodejs-*, and is there a place where
> we can document this decision?
I'd lean to call it unsupported and document this in src:debian-security-support.


       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

Some people say that the climate crisis  is something that we all have created,
but  that is not true,  because if everyone is guilty  then no one is to blame.
And someone is to blame.  Some people, some companies,  some decision-makers in
particular, have known exactly what priceless values they have been sacrificing
to continue making unimaginable amounts of money.

Attachment: signature.asc
Description: PGP signature

Reply to: