Dear all, El 20/11/24 a las 12:19, Santiago Ruano Rincón escribió: > Dear fellow developers, > > (Sorry for any duplicate. I've tried to send a first mail to > debian-devel, but it hadn't reached the list. So I am sending a more > compact version of my previous message.) > > A little bit more of context can be found at: > https://alioth-lists.debian.net/pipermail/pkg-javascript-devel/2024-October/081589.html > and: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084059#5, > > I would like to discuss a mass bug filling for packages {,build-} > depending on twitter-bootstrap3 or twitter-bootstrap4, that have been > EOL'ed by upstream. The security support for bootstrap 3 and 4 has some > challenges, and it would be great if the packages depending on them > could migrate to bootstrap 5. > > However, bootstrap 5 is not just a drop-in replacement, and some > patching at upstream level may be needed. It is probably too late for > trixie. A more realistic target would be trixie+1. In any case, from the > security support PoV, the higher the number of packages have moved to > bootstrap5 for trixie, the better. > > The list of concerned reverse dependencies and their maintainers, for > the two different versions, can be found here attached. For simplicity, > this time I've included the first level of reverse dependencies only.
[snip] You may be probably be aware that I filled the bootstrap v5 migration-related bugs, that can be listed with: https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=bootstrap-v5-migration;users=debian-...@lists.debian.org Do you believe their severity could be increased? If yes, to important, to grave? It would be great to get rid of the dependencies on those unmaintained bootstrap versions, whose outstanding (minor-severity) CVEs are difficult to get fixed, and it will be the case for any future issue. https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap3 https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap4 The time for fixing all of those dependencies is probably too short for trixie. But I would bring it for discussion. Any thoughts? Cheers, -- Santiago
signature.asc
Description: PGP signature
