Your message dated Thu, 19 Jun 2025 19:43:50 +0200 with message-id <aFRMVsHbfMOFDvDL@ramacher.at> and subject line Re: Bug#1104748: release.debian.org: advise on handling QuickJS and Edbrowse for Trixie has caused the Debian Bug report #1104748, regarding release.debian.org: advise on handling QuickJS and Edbrowse for Trixie to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1104748: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104748 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: release.debian.org: advise on handling QuickJS and Edbrowse for Trixie
- From: Sebastian Humenda <shumenda@gmx.de>
- Date: Mon, 5 May 2025 18:37:00 +0200
- Message-id: <aBjpGHMiNtsEMC_m@freikrust.freikrust>
Package: release.debian.org Severity: important X-Debbugs-Cc: pkg-a11y-devel@alioth-lists.debian.net Hi QuickJS has two CVEs, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104255 . Upstream has fixed the CVEs in a new version that at the same time makes an API-incompatible change. Backporting the CVEs can be riskier packaging the new upstream version. The currently only downstream users of QuickJS is Edgbrowse which statically links to QuickJS and is also affected by the API change. In an attempt to close the CVEs, I've uploaded the latest QuickJs 2025.04.26 and would now need to upload the already packaged Edbrowse (see SALSA). I suppose this is against the release plan/policy, hence I'm raising it here. As I said, I believe it will be easier for Trixie to get the latest versions into Debian, as this will decrease the maintenance burden, especially in the case of future CVEs. ThanksAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: Sebastian Humenda <shumenda@gmx.de>, 1104748-done@bugs.debian.org
- Subject: Re: Bug#1104748: release.debian.org: advise on handling QuickJS and Edbrowse for Trixie
- From: Sebastian Ramacher <sramacher@debian.org>
- Date: Thu, 19 Jun 2025 19:43:50 +0200
- Message-id: <aFRMVsHbfMOFDvDL@ramacher.at>
- In-reply-to: <aDVwZxxQvOyepG3r@freikrust.freikrust>
- References: <aBjpGHMiNtsEMC_m@freikrust.freikrust> <aDTWwKqqSBH_P91U@ramacher.at> <aBjpGHMiNtsEMC_m@freikrust.freikrust> <aDVwZxxQvOyepG3r@freikrust.freikrust>
On 2025-05-27 09:57:27 +0200, Sebastian Humenda wrote: > Hi > > Sebastian Ramacher schrieb am 26.05.2025, 23:01 +0200: > […] > >> QuickJS has two CVEs, see > >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104255 . > >> Upstream has fixed the CVEs in a new version that at the same time makes an > >> API-incompatible change. Backporting the CVEs can be riskier packaging the new > >> upstream version. The currently only downstream users of QuickJS is Edgbrowse > >> which statically links to QuickJS and is also affected by the API change. > >> > >> In an attempt to close the CVEs, I've uploaded the latest QuickJs 2025.04.26 > >> and would now need to upload the already packaged Edbrowse (see SALSA). I > >> suppose this is against the release plan/policy, hence I'm raising it here. > > > >So I suppose that caused #1104835, right? Could you please fix the state > >in unstable and then file unblock bugs for both. > > Yes, indeed. I'll do. Both have been uploaded and unblocked. Closing Cheers -- Sebastian Ramacher
--- End Message ---