On 04/02/2022 10:50, Nilesh Patra wrote:
Hi Yadd,
On 2/4/22 2:57 PM, Yadd wrote:
Hi all,
when dh-sequence-nodejs (0.11.9, better with 0.11.10) detects a
"maybe-bundled-package" (ie webpack/browserify/rollup), it:
* generates some pkgjs-lock.json files
* generates a ${nodejs:BuiltUsing} variable usable in debian/control
(see [1])
The goal here is to be able to launch a transition is case of CVE in a
source of a bundled package.
To use ${nodejs:BuiltUsing}, simply add:
Thanks for your work!
I had a question: wouldn't that be a violation of the policy?
Since at the same link you passed, it says:
| This field should be used only when there are license or DFSG
requirements to
| retain the referenced source packages. It should not be added solely
as a way
| to locate packages that need to be rebuilt against newer versions of
their build dependencies.
You're right, it's probably not the good field.
Although the goal here is to track CVE's, but it does not seem to do
much with licenses.
Actually, even golang team uses something similar (not exactly same);
please consider to look at this link[2]
and they were thinking of doing
it on something on the lines of the rust team, i.e. introducing a
XS-<lang>-Built-Using or something similar;
do you think using a XS-javascript-Built-Using could be a more sensible
option on our side?
Let me know.
Or X-Javascript-Built-Using ?
[1]:
https://www.debian.org/doc/debian-policy/ch-relationships.html#additional-source-packages-used-to-build-the-binary-built-using
[2]:
https://wiki.debian.org/Teams/DebianGoTeam/2020/GoEcosystemIssues#unstable-.3Etesting_migration
Regards,
Nilesh
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
