On Wed, 29 Aug 2018 at 08:16, Björn Persson <Bjorn@rombobjörn.se> wrote: > > Vít Ondruch wrote: > > Dne 28.8.2018 v 15:58 Christopher napsal(a): > > > Given the security vulnerabilities in jQuery 1 (and 2) and the fact > > > that upstream dropped them a long time ago, I strongly recommend the > > > packages be retired than kept alive. Packagers depend on the newer > > > js-jquery (3) instead, patching as needed. > > > > Of course I see your point. Nevertheless, I still believe that it is > > better to have the CVEs in one package where they will be eventually > > fixed then spread across the whole Fedora bundled in all packages, > > because I am quite sure this will be the result of retiring js-jquery1. > > What reason do you have to believe that the security holes in Jquery 1 > will eventually be fixed, if upstream has abandoned it in favor of > Jquery 3? > He doesn't. What he is saying is that what will happen is that everyone who needed it will just bundle it up in their package (and may not even say they have). This means that everyone will scurry around looking for 30-40 CVE's instead of one. This is a classic security 'zlib security' tradeoff. You can know you are in trouble and where the trouble is.. or feel good about yourself, assume you aren't in trouble, and then get hit over and over again as you find one more embedded version. > Note also that insecure packages will be forcibly removed per Fesco > decision just this week: > https://pagure.io/fesco/issue/1935 > So here is what going to happen. Release A, jquery1 will be removed. A lot of packages will be 'fixed' by embedding jquery1 in them. Release B, some of those packages will be found and either fixed or removed Release C, some more of those packages will be found... For the proposal to work, not only do those packages need to be removed, but all packages requiring need to be put on a watch list to confirm they are either removed because they can't be fixed, or updated to a fixed requirement. We also need to make sure that upstream doesn't fix the problem by embedding it in somewhere that isn't easy to find. [I am mostly saying this from personal experience where I was a hard-ass about a removal requirement and was silently routed around.] > You'd have to obtain some kind of exemption from that policy if you > want to keep an insecure Jquery 1 around indefinitely. > > Björn Persson > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx -- Stephen J Smoogen. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
