On Mon, Feb 29, 2016 at 5:05 AM, Antonio Terceiro wrote: > IMO both in this specific case, and in the general case, the correct > technical decision is to track the actual upstream as a proper > Javascript package (supporting both browser usage and NodeJS, if it > makes sense), and make the convenience packages for other languages use > and depend on the proper Javascript one. > > I think this situation is exactly the same as convenience copies of C > libraries: we always want to have a single copy of each library in the > archive, first because of security updates, but also to keep some level > of sanity. In most cases we will be able to do that, and in a few cases > we will have to make -- temporary, one hopes -- exceptions.
Agreed. In the case of exceptions, please tell the security team about them: https://wiki.debian.org/EmbeddedCodeCopies -- bye, pabs https://wiki.debian.org/PaulWise