Vít Ondruch wrote: > Dne 28.8.2018 v 15:58 Christopher napsal(a): > > Given the security vulnerabilities in jQuery 1 (and 2) and the fact > > that upstream dropped them a long time ago, I strongly recommend the > > packages be retired than kept alive. Packagers depend on the newer > > js-jquery (3) instead, patching as needed. > > Of course I see your point. Nevertheless, I still believe that it is > better to have the CVEs in one package where they will be eventually > fixed then spread across the whole Fedora bundled in all packages, > because I am quite sure this will be the result of retiring js-jquery1.
What reason do you have to believe that the security holes in Jquery 1 will eventually be fixed, if upstream has abandoned it in favor of Jquery 3? Note also that insecure packages will be forcibly removed per Fesco decision just this week: https://pagure.io/fesco/issue/1935 You'd have to obtain some kind of exemption from that policy if you want to keep an insecure Jquery 1 around indefinitely. Björn Persson
pgpa_dupqeveQ.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
