[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Am Wed, Dec 27, 2023 at 05:18:52PM +0100 schrieb Jérémy Lal: > Le mer. 27 déc. 2023 à 17:16, Moritz Mühlenhoff a écrit : > > > [ Also adding Paul Gevers for awareness, for context we're bumping nodejs > > in Bookworm to the latest 18.x security/LTS release ] > > > > On Wed, Dec 27, 2023 at 03:03:20PM +0100 Jérémy Lal wrote: > > > > > I don't think so, there are all either node-undici-related, or just test > > > suites regressions. > > > Here are the details: > > > > > > node-zx is a regression in the test suite only, fixed there: > > > > > https://salsa.debian.org/js-team/node-zx/-/commit/a7d2861413480261890db147ea367a252192c9f2 > > > > > > node-yaml is caused by missing node-undici > > > > > > node-v8-compile-cache is a regression in the test suite only, fixed > > there: > > > > > https://salsa.debian.org/js-team/node-v8-compile-cache/-/commit/df42bdbfe84811e4da11d8c3d8ef3148d8a77bcc > > > > > > node-babel7 is a regression in the test suite, fixed there: > > > > > https://salsa.debian.org/js-team/node-babel/-/commit/e5c88f4d765e4d64b60c9cf333dedb89abba39c5 > > > > > > node-re2 is caused by missing node-undici > > > > Great, thanks for the detailed analysis! > > > > This means the update to .19 will regress autopkgtests for node-zx, > > node-v8-compile-cache > > and node-babel7, but since these are all only test suite regressions, we > > can just go > > ahead and fix the tests in a subsequent bookworm point update, ok? > > > > Ok, so I suppose js-team would need to upload those three packages to t-p-u Indeed: Not testing-proposed-updates (which is only for the testing distribution), but instead for stable-proposed-updates, which is a very similar process: https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-case-uploads-to-the-stable-and-oldstable-distributions Cheers, Moritz -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Le mer. 27 déc. 2023 à 17:16, Moritz Mühlenhoff a écrit : > [ Also adding Paul Gevers for awareness, for context we're bumping nodejs > in Bookworm to the latest 18.x security/LTS release ] > > On Wed, Dec 27, 2023 at 03:03:20PM +0100 Jérémy Lal wrote: > > > I don't think so, there are all either node-undici-related, or just test > > suites regressions. > > Here are the details: > > > > node-zx is a regression in the test suite only, fixed there: > > > https://salsa.debian.org/js-team/node-zx/-/commit/a7d2861413480261890db147ea367a252192c9f2 > > > > node-yaml is caused by missing node-undici > > > > node-v8-compile-cache is a regression in the test suite only, fixed > there: > > > https://salsa.debian.org/js-team/node-v8-compile-cache/-/commit/df42bdbfe84811e4da11d8c3d8ef3148d8a77bcc > > > > node-babel7 is a regression in the test suite, fixed there: > > > https://salsa.debian.org/js-team/node-babel/-/commit/e5c88f4d765e4d64b60c9cf333dedb89abba39c5 > > > > node-re2 is caused by missing node-undici > > Great, thanks for the detailed analysis! > > This means the update to .19 will regress autopkgtests for node-zx, > node-v8-compile-cache > and node-babel7, but since these are all only test suite regressions, we > can just go > ahead and fix the tests in a subsequent bookworm point update, ok? > Ok, so I suppose js-team would need to upload those three packages to t-p-u ? -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
[ Also adding Paul Gevers for awareness, for context we're bumping nodejs in Bookworm to the latest 18.x security/LTS release ] On Wed, Dec 27, 2023 at 03:03:20PM +0100 Jérémy Lal wrote: > I don't think so, there are all either node-undici-related, or just test > suites regressions. > Here are the details: > > node-zx is a regression in the test suite only, fixed there: > https://salsa.debian.org/js-team/node-zx/-/commit/a7d2861413480261890db147ea367a252192c9f2 > > node-yaml is caused by missing node-undici > > node-v8-compile-cache is a regression in the test suite only, fixed there: > https://salsa.debian.org/js-team/node-v8-compile-cache/-/commit/df42bdbfe84811e4da11d8c3d8ef3148d8a77bcc > > node-babel7 is a regression in the test suite, fixed there: > https://salsa.debian.org/js-team/node-babel/-/commit/e5c88f4d765e4d64b60c9cf333dedb89abba39c5 > > node-re2 is caused by missing node-undici Great, thanks for the detailed analysis! This means the update to .19 will regress autopkgtests for node-zx, node-v8-compile-cache and node-babel7, but since these are all only test suite regressions, we can just go ahead and fix the tests in a subsequent bookworm point update, ok? Cheers, Moritz -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Le mer. 27 déc. 2023 à 14:43, Moritz Mühlenhoff a écrit : > Am Thu, Dec 21, 2023 at 11:26:27PM +0100 schrieb Jérémy Lal: > > Le jeu. 21 déc. 2023 à 20:34, Moritz Mühlenhoff a > écrit : > > > > > Am Thu, Dec 21, 2023 at 11:29:12AM +0100 schrieb Jérémy Lal: > > > > Le jeu. 21 déc. 2023 à 10:54, Moritz Muehlenhoff a > > > écrit : > > > > > > > > > On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso > wrote: > > > > > > Hi, > > > > > > > > > > > > [CC'ing node-undici uploader] > > > > > > > > > > > > > [CC-ing the good email address for node-undici uploader] > > > > > > > > Attached is a debdiff for a node-undici update (which backports what > has > > > > been done in testing). > > > > > > Looks good to me, please build with -sa (since it's the first upload > > > to bookworm-security) and upload to security-master. > > > > > > > Note that nodejs 18.19.0 doesn't need this node-undici version to be > built, > > only typescript consumers need it (when rebuilding packages in bookworm, > > or when simply using a typescript compiler in bookworm). > > I checked the autopkgtest results for 18.19 on bookworm (it's running > on security-master and isn't public at this point) and there are > five packages marked as regressing, for which I'm attaching the logs. > > Two have explicit references to the node-undici (but since the new > node-undici isn't installed into the archive yet, these will only > recover when it's out). > > Could you please do a quick pass over these if the other three are also > related or whether we potentially also need to update other packages > in bookworm? I don't think so, there are all either node-undici-related, or just test suites regressions. Here are the details: node-zx is a regression in the test suite only, fixed there: https://salsa.debian.org/js-team/node-zx/-/commit/a7d2861413480261890db147ea367a252192c9f2 node-yaml is caused by missing node-undici node-v8-compile-cache is a regression in the test suite only, fixed there: https://salsa.debian.org/js-team/node-v8-compile-cache/-/commit/df42bdbfe84811e4da11d8c3d8ef3148d8a77bcc node-babel7 is a regression in the test suite, fixed there: https://salsa.debian.org/js-team/node-babel/-/commit/e5c88f4d765e4d64b60c9cf333dedb89abba39c5 node-re2 is caused by missing node-undici Jérémy -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Le jeu. 21 déc. 2023 à 20:34, Moritz Mühlenhoff a écrit : > Am Thu, Dec 21, 2023 at 11:29:12AM +0100 schrieb Jérémy Lal: > > Le jeu. 21 déc. 2023 à 10:54, Moritz Muehlenhoff a > écrit : > > > > > On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso wrote: > > > > Hi, > > > > > > > > [CC'ing node-undici uploader] > > > > > > > [CC-ing the good email address for node-undici uploader] > > > > Attached is a debdiff for a node-undici update (which backports what has > > been done in testing). > > Looks good to me, please build with -sa (since it's the first upload > to bookworm-security) and upload to security-master. > Note that nodejs 18.19.0 doesn't need this node-undici version to be built, only typescript consumers need it (when rebuilding packages in bookworm, or when simply using a typescript compiler in bookworm). Jérémy -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Am Thu, Dec 21, 2023 at 11:29:12AM +0100 schrieb Jérémy Lal: > Le jeu. 21 déc. 2023 à 10:54, Moritz Muehlenhoff a écrit : > > > On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso wrote: > > > Hi, > > > > > > [CC'ing node-undici uploader] > > > > [CC-ing the good email address for node-undici uploader] > > Attached is a debdiff for a node-undici update (which backports what has > been done in testing). Looks good to me, please build with -sa (since it's the first upload to bookworm-security) and upload to security-master. Cheers, Moritz -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Le jeu. 21 déc. 2023 à 10:54, Moritz Muehlenhoff a écrit : > On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso wrote: > > Hi, > > > > [CC'ing node-undici uploader] > [CC-ing the good email address for node-undici uploader] > > > >> Ack, let's do that. Could you prepare bookworm-security updates > > > >> based on 18.17.0 (after it has landed in unstable)? > > > > > > > nodejs 18.19.0 has landed in testing. > > > It rebuilds fine in bookworm, and test-suite-during-build pass on > amd64. > > > > > > It also requires "node-undici", precisely for that change: > > > > > > node-undici (5.28.2+dfsg1+~cs23.11.12.3-2) unstable; urgency=medium > > > > > > * Build and publish undici-types, needed by new @types/node > > > > > > Is there a way to deal with this ? > > > > Then I guess we need this as pre-requisite upload to bookworm as well. > > > > Maybe Moritz has a better idea, but one option is to propose this > > update regularly as bookworm-pu and once it's in proposed update ask > > DSA to make the security chroots pick as well updates from > > prpopsoed-updates if we plan to release nodejs via a DSA (or otherwise > > via bookworm-pu as well). > > > > One other alternative is to make a non-security upload for > > node-unidici containing that change to the security archive, which the > > nodejs update can pick. > > I think we can handle it similar to what we recently did when OpenJDK > bumped > it's requirement for jtreg: When we have a suitable update for node-undici > Attached is a debdiff for a node-undici update (which backports what has been done in testing). > we upload it to security-master and the security buildds will be able to > use it to build the new nodejs. And then it simply gets released along with > the nodejs update. > > Cheers, > Moritz > node-undici-deb12u2-to-deb12u3.debdiff Description: Binary data -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso wrote: > Hi, > > [CC'ing node-undici uploader] > > >> Ack, let's do that. Could you prepare bookworm-security updates > > >> based on 18.17.0 (after it has landed in unstable)? > > > > > nodejs 18.19.0 has landed in testing. > > It rebuilds fine in bookworm, and test-suite-during-build pass on amd64. > > > > It also requires "node-undici", precisely for that change: > > > > node-undici (5.28.2+dfsg1+~cs23.11.12.3-2) unstable; urgency=medium > > > > * Build and publish undici-types, needed by new @types/node > > > > Is there a way to deal with this ? > > Then I guess we need this as pre-requisite upload to bookworm as well. > > Maybe Moritz has a better idea, but one option is to propose this > update regularly as bookworm-pu and once it's in proposed update ask > DSA to make the security chroots pick as well updates from > prpopsoed-updates if we plan to release nodejs via a DSA (or otherwise > via bookworm-pu as well). > > One other alternative is to make a non-security upload for > node-unidici containing that change to the security archive, which the > nodejs update can pick. I think we can handle it similar to what we recently did when OpenJDK bumped it's requirement for jtreg: When we have a suitable update for node-undici we upload it to security-master and the security buildds will be able to use it to build the new nodejs. And then it simply gets released along with the nodejs update. Cheers, Moritz -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Hi, [CC'ing node-undici uploader] On Wed, Dec 20, 2023 at 09:12:36PM +0100, J??r??my Lal wrote: > Le mer. 19 juil. 2023 ?? 21:51, J??r??my Lal a ??crit : > > > > > > > Le mer. 19 juil. 2023 ?? 14:18, Moritz M??hlenhoff a > > ??crit : > > > >> Am Fri, Jun 30, 2023 at 08:12:37PM +0200 schrieb J??r??my Lal: > >> > Hi, > >> > > >> > Le ven. 30 juin 2023 ?? 19:21, Salvatore Bonaccorso > >> a > >> > ??crit : > >> > > >> > > Source: nodejs > >> > > Version: 18.13.0+dfsg1-1 > >> > > Severity: important > >> > > Tags: security upstream > >> > > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > >> > > t...@security.debian.org> > >> > > > >> > > Hi, > >> > > > >> > > The following vulnerabilities were published for nodejs. > >> > > > >> > > CVE-2023-30581[0], CVE-2023-30588[1], CVE-2023-30589[2] and > >> > > CVE-2023-30590[3]. > >> > > > >> > > > >> > > If you fix the vulnerabilities please also make sure to include the > >> > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > >> > > > >> > > >> > It would be interesting to know if we adopt the same plan we had with > >> > security team: > >> > full upstream updates in the same branch, 18.x here. > >> > >> Ack, let's do that. Could you prepare bookworm-security updates > >> based on 18.17.0 (after it has landed in unstable)? > > > > > nodejs 18.19.0 has landed in testing. > It rebuilds fine in bookworm, and test-suite-during-build pass on amd64. > > It also requires "node-undici", precisely for that change: > > node-undici (5.28.2+dfsg1+~cs23.11.12.3-2) unstable; urgency=medium > > * Build and publish undici-types, needed by new @types/node > > Is there a way to deal with this ? Then I guess we need this as pre-requisite upload to bookworm as well. Maybe Moritz has a better idea, but one option is to propose this update regularly as bookworm-pu and once it's in proposed update ask DSA to make the security chroots pick as well updates from prpopsoed-updates if we plan to release nodejs via a DSA (or otherwise via bookworm-pu as well). One other alternative is to make a non-security upload for node-unidici containing that change to the security archive, which the nodejs update can pick. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Le mer. 19 juil. 2023 à 21:51, Jérémy Lal a écrit : > > > Le mer. 19 juil. 2023 à 14:18, Moritz Mühlenhoff a > écrit : > >> Am Fri, Jun 30, 2023 at 08:12:37PM +0200 schrieb Jérémy Lal: >> > Hi, >> > >> > Le ven. 30 juin 2023 à 19:21, Salvatore Bonaccorso >> a >> > écrit : >> > >> > > Source: nodejs >> > > Version: 18.13.0+dfsg1-1 >> > > Severity: important >> > > Tags: security upstream >> > > X-Debbugs-Cc: car...@debian.org, Debian Security Team < >> > > t...@security.debian.org> >> > > >> > > Hi, >> > > >> > > The following vulnerabilities were published for nodejs. >> > > >> > > CVE-2023-30581[0], CVE-2023-30588[1], CVE-2023-30589[2] and >> > > CVE-2023-30590[3]. >> > > >> > > >> > > If you fix the vulnerabilities please also make sure to include the >> > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. >> > > >> > >> > It would be interesting to know if we adopt the same plan we had with >> > security team: >> > full upstream updates in the same branch, 18.x here. >> >> Ack, let's do that. Could you prepare bookworm-security updates >> based on 18.17.0 (after it has landed in unstable)? > > nodejs 18.19.0 has landed in testing. It rebuilds fine in bookworm, and test-suite-during-build pass on amd64. It also requires "node-undici", precisely for that change: node-undici (5.28.2+dfsg1+~cs23.11.12.3-2) unstable; urgency=medium * Build and publish undici-types, needed by new @types/node Is there a way to deal with this ? Jérémy -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Le mer. 19 juil. 2023 à 14:18, Moritz Mühlenhoff a écrit : > Am Fri, Jun 30, 2023 at 08:12:37PM +0200 schrieb Jérémy Lal: > > Hi, > > > > Le ven. 30 juin 2023 à 19:21, Salvatore Bonaccorso a > > écrit : > > > > > Source: nodejs > > > Version: 18.13.0+dfsg1-1 > > > Severity: important > > > Tags: security upstream > > > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > > > t...@security.debian.org> > > > > > > Hi, > > > > > > The following vulnerabilities were published for nodejs. > > > > > > CVE-2023-30581[0], CVE-2023-30588[1], CVE-2023-30589[2] and > > > CVE-2023-30590[3]. > > > > > > > > > If you fix the vulnerabilities please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > > > > It would be interesting to know if we adopt the same plan we had with > > security team: > > full upstream updates in the same branch, 18.x here. > > Ack, let's do that. Could you prepare bookworm-security updates > based on 18.17.0 (after it has landed in unstable)? > Will do. Jérémy -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Am Fri, Jun 30, 2023 at 08:12:37PM +0200 schrieb Jérémy Lal: > Hi, > > Le ven. 30 juin 2023 à 19:21, Salvatore Bonaccorso a > écrit : > > > Source: nodejs > > Version: 18.13.0+dfsg1-1 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > > t...@security.debian.org> > > > > Hi, > > > > The following vulnerabilities were published for nodejs. > > > > CVE-2023-30581[0], CVE-2023-30588[1], CVE-2023-30589[2] and > > CVE-2023-30590[3]. > > > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > It would be interesting to know if we adopt the same plan we had with > security team: > full upstream updates in the same branch, 18.x here. Ack, let's do that. Could you prepare bookworm-security updates based on 18.17.0 (after it has landed in unstable)? Cheers, Moritz -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Hi [CC'ing the security team alias] On Fri, Jun 30, 2023 at 08:12:37PM +0200, Jérémy Lal wrote: > Hi, > > Le ven. 30 juin 2023 à 19:21, Salvatore Bonaccorso a > écrit : > > > Source: nodejs > > Version: 18.13.0+dfsg1-1 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > > t...@security.debian.org> > > > > Hi, > > > > The following vulnerabilities were published for nodejs. > > > > CVE-2023-30581[0], CVE-2023-30588[1], CVE-2023-30589[2] and > > CVE-2023-30590[3]. > > > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > It would be interesting to know if we adopt the same plan we had with > security team: > full upstream updates in the same branch, 18.x here. Yes I think we can do the same for bookworm and follow the 18.x releases given it is a LTS branch. Unless you have some reason to believe it would not be wise to do for the 18.x series. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Hi, Le ven. 30 juin 2023 à 19:21, Salvatore Bonaccorso a écrit : > Source: nodejs > Version: 18.13.0+dfsg1-1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > t...@security.debian.org> > > Hi, > > The following vulnerabilities were published for nodejs. > > CVE-2023-30581[0], CVE-2023-30588[1], CVE-2023-30589[2] and > CVE-2023-30590[3]. > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > It would be interesting to know if we adopt the same plan we had with security team: full upstream updates in the same branch, 18.x here. Jérémy -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel