On Thu, Oct 06, 2016 at 11:48:36AM +0200, Philip Hands wrote: >... > The security team are going to have to track down every instance of that > code and fix it. If the bug is something to do with an interaction > between the code and the tools used to "browserifiy" the code, that may be > non-trivial.
For the DFSG it is perfectly fine if a package ships a private (potentially modified) copy of the code and only works with this specific copy. And providing 3 years of security support for a huge amount of JS packages sounds challenging in any case. I would strongly distinguish between the "what is source code according to the DFSG" and "what can the security team support" questions. The former is a general question that is relevant here, the latter is a release-specific issue that should be discussed separately. >... > Of course, for that to happen we'd have to start accepting tiny > javascript packages, which is currently not happening (which also seems > to be a blocker to grunt being packaged BTW). https://sources.debian.net/src/node-number-is-nan/1.0.0-1/index.js/ I cannot imagine a package more tiny than this one that was accepted last month. > Cheers, Phil. >... cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed