[Pkg-javascript-devel] Bug#773671: libv8-3.14: multiple security issues
On Sun, Dec 21, 2014 at 03:19:42PM -0500, Michael Gilbert wrote: > package: src:libv8-3.14 > severity: grave > tags: security > > Hi, > > the following vulnerabilities were published for libv8-3.14. So if I'm understanding the discussion on debian-devel correctly the libv8 maintainers want to see this treated as an RC-bug. Please clarify your intentions, do you a) intent to fix these issues with patches and if that's not possible remove libv8 along with its rev deps? b) want to keep this with RC severity and tag it jessie-ignore. I would consider that rather broken since foo-ignore is used for issues which are ignored for once, but which will be addressed in release+1. I don't see the libv8 situation change upstream... c) plan something else I'm missing Cheers, Moritz ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#773671: Bug#773671: libv8-3.14: multiple security issues
On Mon, Dec 29, 2014 at 12:28:30PM +0100, Bálint Réczey wrote: > Hi Moritz, > > 2014-12-29 3:01 GMT+01:00 Moritz Mühlenhoff : > > On Sun, Dec 21, 2014 at 03:19:42PM -0500, Michael Gilbert wrote: > >> package: src:libv8-3.14 > >> severity: grave > >> tags: security > >> > >> Hi, > >> > >> the following vulnerabilities were published for libv8-3.14. > > > > So if I'm understanding the discussion on debian-devel correctly > > the libv8 maintainers want to see this treated as an RC-bug. > > Please clarify your intentions, do you > > > > a) intent to fix these issues with patches and if that's not possible > > remove libv8 along with its rev deps? > > > > b) want to keep this with RC severity and tag it jessie-ignore. > > I would consider that rather broken since foo-ignore is used for > > issues which are ignored for once, but which will be addressed > > in release+1. I don't see the libv8 situation change upstream... > The rationale behind opening the RC bugs was improving transparency on > my side. I think more people follow bugs than the security tracker. Ok. In the past we didn't file bugs on libv8 since they were unlikely to be dealt with anyway. We'll file bugs for any future libv8 issues. Cheers, Moritz ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Nodejs in stretch
Sorry for the late reply, going through some backlog. On Tue, Jul 12, 2016 at 10:17:23PM +0200, Jérémy Lal wrote: > Hi, > > 2016-07-12 11:06 GMT+02:00 Moritz Muehlenhoff : > > > On Tue, Apr 26, 2016 at 11:32:54PM +0200, Jérémy Lal wrote: > > > Update: > > > https://nodejs.org/en/blog/announcements/v6-release > > > """ > > > In October 2016, Node.js v6 will become the LTS release and the LTS > > release > > > line (version 4) > > > will go under maintenance mode in April 2017, meaning only critical bugs, > > > critical security > > > fixes and documentation updates will be permitted. > > > Users should begin transitioning from v4 to v6 in October when v6 goes > > into > > > LTS. > > > """ > > > > > > I guess it will be too late for next debian release - still, it's good to > > > know. > > > > With the delayed freeze for jessie that would be doable again, right? > > The nodejs LTS is more volatile than a traditional LTS (also including > > bugfixes etc), but that seems ok (and is in line with e.g. security > > support for Firefox ESR). > > > > If we include nodejs 6 with security support in jessie we would limit > > it to the lifetime of that LTS branch. Is is already known how long > > that will be? > > > > The schedule [here](https://github.com/nodejs/LTS) states 2019-04-01 > for the end of LTS 6 branch. Ok, we should limit the security support to that timeframe, then (or maybe slightly longer until the next release with a little overlap to stretch+1, but not to the full lifetime of a stable release. What are your plans for making the switch in sid/testing? > (For example I would very much like to use the source code of v8 shipped in > Node.js as *the* source for a libv8 package, thus taking advantage of the > long > term support of nodejs, but i didn't find the time to do it.) Ok, otherwise the standalone copy in the archive will remain uncovered by security support as in jessie. > > While I'm fine with nodejs in stretch, I have strong concerns about the > > various node-* packages in the archive. It appears to me that the node > > modules ecosystem is very volatile and I have doubts that the various > > module upstreams will be able/willing to support the LTS branch of > > nodejs (or security backports in general). As of today we have > > already ten modules with unfixed security issues in unstable :-/ > > > > I think we can provide nodejs as a solid for server applications, > > but herding lots of poorly maintained node modules in a stable release > > is stretching our resources too thin. Also, I suppose everyone is > > used to npm anyway. > > > > It does indeed requires a lot of man power and we're obviously short of it. > I will happily ask to remove from testing many of the ones i uploaded > myself; > however (besides other obvious precautions): > - some modules are very important to keep around (npm, node-gyp, node-nan, > node-uglify and their dependencies to name a few) > - debian is very good at packaging Node.js c++ addons (and many authors > of c++ addons do terrible things on install like distributing precompiled > binaries, > downloading precompiled libraries...) Can you (or anyone else from the nodejs team) compile a list of packages to keep in stretch, so that the remainders can be dropped when we get closer to the freeze? Cheers, Moritz -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Nodejs in stretch
[Resending since this got lost in moderation earlier...] Sorry for the late reply, going through some backlog. On Tue, Jul 12, 2016 at 10:17:23PM +0200, Jérémy Lal wrote: > Hi, > > 2016-07-12 11:06 GMT+02:00 Moritz Muehlenhoff : > > > On Tue, Apr 26, 2016 at 11:32:54PM +0200, Jérémy Lal wrote: > > > Update: > > > https://nodejs.org/en/blog/announcements/v6-release > > > """ > > > In October 2016, Node.js v6 will become the LTS release and the LTS > > release > > > line (version 4) > > > will go under maintenance mode in April 2017, meaning only critical bugs, > > > critical security > > > fixes and documentation updates will be permitted. > > > Users should begin transitioning from v4 to v6 in October when v6 goes > > into > > > LTS. > > > """ > > > > > > I guess it will be too late for next debian release - still, it's good to > > > know. > > > > With the delayed freeze for jessie that would be doable again, right? > > The nodejs LTS is more volatile than a traditional LTS (also including > > bugfixes etc), but that seems ok (and is in line with e.g. security > > support for Firefox ESR). > > > > If we include nodejs 6 with security support in jessie we would limit > > it to the lifetime of that LTS branch. Is is already known how long > > that will be? > > > > The schedule [here](https://github.com/nodejs/LTS) states 2019-04-01 > for the end of LTS 6 branch. Ok, we should limit the security support to that timeframe, then (or maybe slightly longer until the next release with a little overlap to stretch+1, but not to the full lifetime of a stable release. What are your plans for making the switch in sid/testing? > (For example I would very much like to use the source code of v8 shipped in > Node.js as *the* source for a libv8 package, thus taking advantage of the > long > term support of nodejs, but i didn't find the time to do it.) Ok, otherwise the standalone copy in the archive will remain uncovered by security support as in jessie. > > While I'm fine with nodejs in stretch, I have strong concerns about the > > various node-* packages in the archive. It appears to me that the node > > modules ecosystem is very volatile and I have doubts that the various > > module upstreams will be able/willing to support the LTS branch of > > nodejs (or security backports in general). As of today we have > > already ten modules with unfixed security issues in unstable :-/ > > > > I think we can provide nodejs as a solid for server applications, > > but herding lots of poorly maintained node modules in a stable release > > is stretching our resources too thin. Also, I suppose everyone is > > used to npm anyway. > > > > It does indeed requires a lot of man power and we're obviously short of it. > I will happily ask to remove from testing many of the ones i uploaded > myself; > however (besides other obvious precautions): > - some modules are very important to keep around (npm, node-gyp, node-nan, > node-uglify and their dependencies to name a few) > - debian is very good at packaging Node.js c++ addons (and many authors > of c++ addons do terrible things on install like distributing precompiled > binaries, > downloading precompiled libraries...) Can you (or anyone else from the nodejs team) compile a list of packages to keep in stretch, so that the remainders can be dropped when we get closer to the freeze? Cheers, Moritz -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Nodejs in stretch
On Tue, Jul 12, 2016 at 10:17:23PM +0200, Jérémy Lal wrote: > Hi, > > 2016-07-12 11:06 GMT+02:00 Moritz Muehlenhoff : > > > On Tue, Apr 26, 2016 at 11:32:54PM +0200, Jérémy Lal wrote: > > > Update: > > > https://nodejs.org/en/blog/announcements/v6-release > > > """ > > > In October 2016, Node.js v6 will become the LTS release and the LTS > > release > > > line (version 4) > > > will go under maintenance mode in April 2017, meaning only critical bugs, > > > critical security > > > fixes and documentation updates will be permitted. > > > Users should begin transitioning from v4 to v6 in October when v6 goes > > into > > > LTS. > > > """ > > > > > > I guess it will be too late for next debian release - still, it's good to > > > know. > > > > With the delayed freeze for jessie that would be doable again, right? > > The nodejs LTS is more volatile than a traditional LTS (also including > > bugfixes etc), but that seems ok (and is in line with e.g. security > > support for Firefox ESR). > > > > If we include nodejs 6 with security support in jessie we would limit > > it to the lifetime of that LTS branch. Is is already known how long > > that will be? > > The schedule [here](https://github.com/nodejs/LTS) states 2019-04-01 > for the end of LTS 6 branch. To loop back to this; since 6.x didn't make it into stretch, nodejs will need to be unsupported security-wise as we did for jessie. Cheers, Moritz -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
