Re: Potential MBF: Migration from twitter-bootstrap{3,4} to bootstrap-html (v5)

[Sebastian Ramacher <sramacher@debian.org>]

On 2025-02-07 10:47:15 +0100, Emilio Pozuelo Monfort wrote:
> On 06/02/2025 09:21, Paul Gevers wrote:
> > Hi Security team, Santiago,
> > 
> > On 03-02-2025 23:49, Santiago Ruano Rincón wrote:
> > > You may be probably be aware that I filled the bootstrap v5
> > > migration-related bugs, that can be listed with:
> > > https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=bootstrap-v5-
> > > migration;users=debian-lts@lists.debian.org
> > > 
> > > Do you believe their severity could be increased? If yes, to important,
> > > to grave?
> > > 
> > > It would be great to get rid of the dependencies on those unmaintained
> > > bootstrap versions, whose outstanding (minor-severity) CVEs are
> > > difficult to get fixed, and it will be the case for any future issue.
> > > https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap3
> > > https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap4
> > > 
> > > The time for fixing all of those dependencies is probably too short for
> > > trixie. But I would bring it for discussion.
> > 
> > @Santiago, are there key packages involved in this? If so, which?
> > 
> > What's the opinion of the security team on this? I want to follow your
> > lead here. If you think it's better from a security standpoint to not
> > have this in trixie, I'm fine with raising severity now (assuming no key
> > packages are involved).
> 
> I checked for twitter-bootstrap3 and there are 77 (build-)rdeps in testing,
> of which 7 are key packages:
> 
> ffmpeg

The use of twitter-bootstrap3 for ffmpeg is for an offline
documentation. I don't see any security issue with that.

Cheers

> fmtlib
> guzzle-sphinx-theme
> jupyter-server
> libevdev
> pydoctor
> ruby-sidekiq
> 
> I haven't checked twitter-bootstrap4.
> 
> Cheers,
> Emilio
> 

-- 
Sebastian Ramacher