[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1104748: release.debian.org: advise on handling QuickJS and Edbrowse for Trixie

On 2025-05-05 18:37:00 +0200, Sebastian Humenda wrote:
> Package: release.debian.org
> Severity: important
> X-Debbugs-Cc: pkg-a11y-devel@alioth-lists.debian.net
> 
> Hi
> 
> QuickJS has two CVEs, see
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104255 .
> Upstream has fixed the CVEs in a new version that at the same time makes an
> API-incompatible change. Backporting the CVEs can be riskier packaging the new
> upstream version. The currently only downstream users of QuickJS is Edgbrowse
> which statically links to QuickJS and is also affected by the API change.
> 
> In an attempt to close the CVEs, I've uploaded the latest QuickJs 2025.04.26
> and would now need to upload the already packaged Edbrowse (see SALSA). I
> suppose this is against the release plan/policy, hence I'm raising it here.

So I suppose that caused #1104835, right? Could you please fix the state
in unstable and then file unblock bugs for both.

Cheers

> 
> As I said, I believe it will be easier for Trixie  to get the latest versions
> into Debian, as this will decrease the maintenance burden, especially in the
> case of future CVEs.
> Thanks



-- 
Sebastian Ramacher
Reply to: