On 06/02/2025 09:21, Paul Gevers wrote:
Hi Security team, Santiago,
On 03-02-2025 23:49, Santiago Ruano Rincón wrote:
You may be probably be aware that I filled the bootstrap v5
migration-related bugs, that can be listed with:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=bootstrap-v5-
migration;users=debian-...@lists.debian.org
Do you believe their severity could be increased? If yes, to important,
to grave?
It would be great to get rid of the dependencies on those unmaintained
bootstrap versions, whose outstanding (minor-severity) CVEs are
difficult to get fixed, and it will be the case for any future issue.
https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap3
https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap4
The time for fixing all of those dependencies is probably too short for
trixie. But I would bring it for discussion.
@Santiago, are there key packages involved in this? If so, which?
What's the opinion of the security team on this? I want to follow your lead
here. If you think it's better from a security standpoint to not have this in
trixie, I'm fine with raising severity now (assuming no key packages are involved).
I checked for twitter-bootstrap3 and there are 77 (build-)rdeps in testing, of
which 7 are key packages:
ffmpeg
fmtlib
guzzle-sphinx-theme
jupyter-server
libevdev
pydoctor
ruby-sidekiq
I haven't checked twitter-bootstrap4.
Cheers,
Emilio
