[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: Orphaned Packages in rawhide (2018-08-27) - js-jqeury1
From:       Björn Persson <Bjorn () xn--rombobjrn-67a ! se>
Date:       2018-08-29 12:14:48
Message-ID: 20180829141448.57a62c5d () tag ! xn--rombobjrn-67a ! se
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


Vít Ondruch wrote:
> Dne 28.8.2018 v 15:58 Christopher napsal(a):
> > Given the security vulnerabilities in jQuery 1 (and 2) and the fact
> > that upstream dropped them a long time ago, I strongly recommend the
> > packages be retired than kept alive. Packagers depend on the newer
> > js-jquery (3) instead, patching as needed.  
> 
> Of course I see your point. Nevertheless, I still believe that it is
> better to have the CVEs in one package where they will be eventually
> fixed then spread across the whole Fedora bundled in all packages,
> because I am quite sure this will be the result of retiring js-jquery1.

What reason do you have to believe that the security holes in Jquery 1
will eventually be fixed, if upstream has abandoned it in favor of
Jquery 3?

Note also that insecure packages will be forcibly removed per Fesco
decision just this week:
https://pagure.io/fesco/issue/1935

You'd have to obtain some kind of exemption from that policy if you
want to keep an insecure Jquery 1 around indefinitely.

Björn Persson

[Attachment #5 (application/pgp-signature)]
[Attachment #6 (text/plain)]

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org


[prev in list] [next in list] [prev in thread] [next in thread]