On 2025-02-07 10:47:15 +0100, Emilio Pozuelo Monfort wrote: > On 06/02/2025 09:21, Paul Gevers wrote: > > Hi Security team, Santiago, > > > > On 03-02-2025 23:49, Santiago Ruano Rincón wrote: > > > You may be probably be aware that I filled the bootstrap v5 > > > migration-related bugs, that can be listed with: > > > https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=bootstrap-v5- > > > migration;users=debian-...@lists.debian.org > > > > > > Do you believe their severity could be increased? If yes, to important, > > > to grave? > > > > > > It would be great to get rid of the dependencies on those unmaintained > > > bootstrap versions, whose outstanding (minor-severity) CVEs are > > > difficult to get fixed, and it will be the case for any future issue. > > > https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap3 > > > https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap4 > > > > > > The time for fixing all of those dependencies is probably too short for > > > trixie. But I would bring it for discussion. > > > > @Santiago, are there key packages involved in this? If so, which? > > > > What's the opinion of the security team on this? I want to follow your > > lead here. If you think it's better from a security standpoint to not > > have this in trixie, I'm fine with raising severity now (assuming no key > > packages are involved). > > I checked for twitter-bootstrap3 and there are 77 (build-)rdeps in testing, > of which 7 are key packages: > > ffmpeg
The use of twitter-bootstrap3 for ffmpeg is for an offline documentation. I don't see any security issue with that. Cheers > fmtlib > guzzle-sphinx-theme > jupyter-server > libevdev > pydoctor > ruby-sidekiq > > I haven't checked twitter-bootstrap4. > > Cheers, > Emilio > -- Sebastian Ramacher
