Hi Security team, Santiago, On 03-02-2025 23:49, Santiago Ruano Rincón wrote:
You may be probably be aware that I filled the bootstrap v5 migration-related bugs, that can be listed with: https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=bootstrap-v5-migration;users=debian-...@lists.debian.orgDo you believe their severity could be increased? If yes, to important, to grave? It would be great to get rid of the dependencies on those unmaintained bootstrap versions, whose outstanding (minor-severity) CVEs are difficult to get fixed, and it will be the case for any future issue. https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap3 https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap4 The time for fixing all of those dependencies is probably too short for trixie. But I would bring it for discussion.
@Santiago, are there key packages involved in this? If so, which?What's the opinion of the security team on this? I want to follow your lead here. If you think it's better from a security standpoint to not have this in trixie, I'm fine with raising severity now (assuming no key packages are involved).
Paul
OpenPGP_signature.asc
Description: OpenPGP digital signature
