On Wed, 8 Jul 2020, 20:38 Jonas Smedegaard, <jo...@jones.dk> wrote: > Quoting Nilesh Patra (2020-07-08 17:00:01) > > On Wed, 8 Jul 2020, 20:22 Jonas Smedegaard, <jo...@jones.dk> wrote: > > > > > Quoting Nilesh Patra (2020-07-08 16:26:34) > > > > On Wed, 8 Jul 2020, 19:30 Jonas Smedegaard, <jo...@jones.dk> wrote: > > > > > Please strongly consider to not only make the package link with > > > > > system-shared libsass, but also repackage upstream tarball with > > > > > embedded code copy removed, to ensure not accidentally using that > > > > > code (and to lighten the size of what gets distributed in Debian > and > > > > > simplify copyright tracking and ease security tracking). > > > > > > > > > > > > @Jonas: > > > > I considered the same approach after the first source-only-upload was > > > done. > > > > However, it might so happen that going forward the version of sass is > > > > updated to a newer upstream, and Debian adapts to that particular > > > release, > > > > but the node-sass upstream might only have support for libsass 3.6.3 > - > > > > considering that upstream of node-node-sass is slower to adapt to > > > changes. > > > > > > > > This would cause node-node-sass to FTBFS. > > > > > > Yes. That is how Debian generally works. > > > > > > Please explain why this package needs exceptional handling. > > > > > > The upstream for node-node-sass took a considerable amount of time to > > switch to libsass 3.6.3, and there is still no official upstream release > > yet. > > > > The same situation may arise in future, and it might take many months for > > upstream to adapt. > > > > Hence I considered it _might_ be sensible to keep the copy. > > > > However, I admit that your reasoning is right here - this probably > doesn't > > need exceptional handling. > > None of us can predict the future. But we can choose to assume that > this package will evolve badly in the future or that it will evolve > well. >
Correct. > If we expect this package to evolve badly, then we should *not* keep an > embedded copy of libsass, but instead remove this package and all its > reverse dependencies, because libsass has been proven insecure if left > unmaintained, It has a few reverse dependencies - I mainly packaged this for getting node-mermaid to Debian which is still in NEW, and hopefully will be accepted. I am interested in maintaining mermaid and hence do not want to remove node-node-sass. Maybe I'll keep nagging the upstream for evolving this properly time and again ;-) Kind regards, Nilesh
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
