Bug#760385: Unfixed old CVEs should really be RC
On Mon, Apr 03, 2017 at 09:13:56PM +0300, Adrian Bunk wrote: > On Mon, Apr 03, 2017 at 08:03:16PM +0200, Moritz Muehlenhoff wrote: > > On Tue, Feb 28, 2017 at 02:28:28PM +0200, Adrian Bunk wrote: > > > Control: severity -1 serious > > > > > > Dozens of unfixed CVEs, the oldest unfixed CVEs will be more than > > > 4 years old when stretch gets released. > > > > > > In the current state the package is really too buggy for shipping > > > in a new stable release. > > > > Note that nodejs will not be covered by security support in stretch (as it > > was > > done for jessie already). We had initially considered it, but with > > nodejs 6 not having it made into stretch, that's not realistic. > > > > So these can be downgraded to non-RC (or if the release team thinks > > nodejs should rather be remove from testing, removal is also an option > > of course). > > This is not even the normal Node.js, this is a version of V8 from an > upstream branch that is dead for 4 years already. Right. Initially there was some plan to provide a supported libv8 from src:nodejs, though. libv8 has never been covered by security support in any Debian release so far, upstream does no real security support apart from what lands in Chrome. Cheers, Moritz
Bug#760385: Unfixed old CVEs should really be RC
On Mon, Apr 03, 2017 at 08:03:16PM +0200, Moritz Muehlenhoff wrote: > On Tue, Feb 28, 2017 at 02:28:28PM +0200, Adrian Bunk wrote: > > Control: severity -1 serious > > > > Dozens of unfixed CVEs, the oldest unfixed CVEs will be more than > > 4 years old when stretch gets released. > > > > In the current state the package is really too buggy for shipping > > in a new stable release. > > Note that nodejs will not be covered by security support in stretch (as it was > done for jessie already). We had initially considered it, but with > nodejs 6 not having it made into stretch, that's not realistic. > > So these can be downgraded to non-RC (or if the release team thinks > nodejs should rather be remove from testing, removal is also an option > of course). This is not even the normal Node.js, this is a version of V8 from an upstream branch that is dead for 4 years already. > Cheers, > Moritz cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
Bug#760385: Unfixed old CVEs should really be RC
On Tue, Feb 28, 2017 at 02:28:28PM +0200, Adrian Bunk wrote: > Control: severity -1 serious > > Dozens of unfixed CVEs, the oldest unfixed CVEs will be more than > 4 years old when stretch gets released. > > In the current state the package is really too buggy for shipping > in a new stable release. Note that nodejs will not be covered by security support in stretch (as it was done for jessie already). We had initially considered it, but with nodejs 6 not having it made into stretch, that's not realistic. So these can be downgraded to non-RC (or if the release team thinks nodejs should rather be remove from testing, removal is also an option of course). Cheers, Moritz
Bug#760385: Unfixed old CVEs should really be RC
Control: severity -1 serious Dozens of unfixed CVEs, the oldest unfixed CVEs will be more than 4 years old when stretch gets released. In the current state the package is really too buggy for shipping in a new stable release. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed