Re: Bug#931376: debian-security-support: mention nodejs is not for untrusted content

[Emilio Pozuelo Monfort <pochu@debian.org>]

On 20/02/2020 18:00, Salvatore Bonaccorso wrote:
> Hi Holger,
> 
> On Thu, Feb 20, 2020 at 04:49:09PM +0000, Holger Levsen wrote:
>>> Does LTS provide updates for nodejs/nodejs-*, and is there a place where
>>> we can document this decision?
>>  
>> I'd lean to call it unsupported and document this in src:debian-security-support.
> 
> I guess you will need to add it to the ended file instead, that is
> declare it end-of-life because not supportable by backporting fixes --
> unsupported covers all suites, and this as you noticed was the reason
> to remove it again from there as we tentatively want to be able to
> support nodejs in buster.

Yes, this was mentioned in the release notes for jessie and stretch:

https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#libv8
https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8

So we should add it to security-support-ended for those releases, and
let it be supported in buster.

Cheers,
Emilio