On Mon, Jun 4, 2018 at 6:29 PM, Dmitry Smirnov wrote: > IMHO we should have been working on improving GitLab package in order to make > is suitable for Salsa if it is not suitable already. What are the blockers?
In my opinion the biggest blocker is that, the node.js ecosystem is not security supported by Debian because of libv8 not being security supported. In addition, there is no-one in Debian tracking vulnerabilities in the node.js ecosystem reported by NodeSecurity and importing the issues into the Debian security tracker. I used to do this occasionally to see how many issues we were ignoring but it needs to be done in a systematic way by people interested in JavaScript security. The biggest problem with this is that a lot of NodeSecurity reported issues do not get a CVE, this seems to be improving though. After that, the ones that did get a CVE were either still reserved with no info or in 'check' mode and needed to be classed as not-for-us or applying to a certain Debian package. https://nodesecurity.io/advisories I have no idea how that compares with the security support provided by GitLab upstream though. -- bye, pabs https://wiki.debian.org/PaulWise