On Thu, Oct 27, 2011 at 1:28 AM, Ian Jackson <ijack...@chiark.greenend.org.uk> wrote:
> The difficulty is that if we end up with ten different versions of > some random javascript library, when it turns out to have a security > vulnerability we need to somehow backport the patch to each of those > ten versions. > > And here "we" means the security team, not the people who uploaded the > ten versions in the first place. > > So this is rather unpalatable. What's the alternative? It seems that we only have two choices: - Either all packages use the same version of the JavaScript library (what we have been doing until now, which results in some packages not working properly due to changes in the JavaScript library that manifest only in some situations in runtime). This is essentially what we do with C, C++, etc libraries, btw: the whole Debian is built against the same zlib, same glibc, same libpng, etc or - Each package works with the upstream-bundled version of the JavaScript library (and then we have the problem of backporting security fixes). The advantage being we are sure the application works as expected because it has been tested by upstream. I'm not sure what's worse: a malfunctioning application or an insecure one. Zygmunt's proposal of adding unit testing, etc to upstream is a noble one but highly unrealistic, IMHO. -- Pau Garcia i Quiles http://www.elpauer.org (Due to my workload, I may need 10 days to answer) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cakcbokuijju-o_w1vtmx0ayruqsz9cheucoslf3tsb3fjwx...@mail.gmail.com