Santiago Ruano Rincón
2025-02-03 22:50:01 UTC
Reply
PermalinkDear fellow developers,
(Sorry for any duplicate. I've tried to send a first mail to
debian-devel, but it hadn't reached the list. So I am sending a more
compact version of my previous message.)
https://alioth-lists.debian.net/pipermail/pkg-javascript-devel/2024-October/081589.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084059#5,
I would like to discuss a mass bug filling for packages {,build-}
depending on twitter-bootstrap3 or twitter-bootstrap4, that have been
EOL'ed by upstream. The security support for bootstrap 3 and 4 has some
challenges, and it would be great if the packages depending on them
could migrate to bootstrap 5.
However, bootstrap 5 is not just a drop-in replacement, and some
patching at upstream level may be needed. It is probably too late for
trixie. A more realistic target would be trixie+1. In any case, from the
security support PoV, the higher the number of packages have moved to
bootstrap5 for trixie, the better.
The list of concerned reverse dependencies and their maintainers, for
the two different versions, can be found here attached. For simplicity,
this time I've included the first level of reverse dependencies only.
[snip](Sorry for any duplicate. I've tried to send a first mail to
debian-devel, but it hadn't reached the list. So I am sending a more
compact version of my previous message.)
https://alioth-lists.debian.net/pipermail/pkg-javascript-devel/2024-October/081589.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084059#5,
I would like to discuss a mass bug filling for packages {,build-}
depending on twitter-bootstrap3 or twitter-bootstrap4, that have been
EOL'ed by upstream. The security support for bootstrap 3 and 4 has some
challenges, and it would be great if the packages depending on them
could migrate to bootstrap 5.
However, bootstrap 5 is not just a drop-in replacement, and some
patching at upstream level may be needed. It is probably too late for
trixie. A more realistic target would be trixie+1. In any case, from the
security support PoV, the higher the number of packages have moved to
bootstrap5 for trixie, the better.
The list of concerned reverse dependencies and their maintainers, for
the two different versions, can be found here attached. For simplicity,
this time I've included the first level of reverse dependencies only.
You may be probably be aware that I filled the bootstrap v5
migration-related bugs, that can be listed with:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=bootstrap-v5-migration;users=debian-***@lists.debian.org
Do you believe their severity could be increased? If yes, to important,
to grave?
It would be great to get rid of the dependencies on those unmaintained
bootstrap versions, whose outstanding (minor-severity) CVEs are
difficult to get fixed, and it will be the case for any future issue.
https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap3
https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap4
The time for fixing all of those dependencies is probably too short for
trixie. But I would bring it for discussion.
Any thoughts?
Cheers,
-- Santiago