Dne 26. 07. 20 v 13:44 Miro Hrončok napsal(a): > On 29. 06. 20 17:49, Vít Ondruch wrote: >> Dne 29. 06. 20 v 17:21 Miro Hrončok napsal(a): >>> js-jquery1 nodejs-sig, patches, vondruch Fedora 30 >>> js-jquery2 vondruch Fedora 30 >>> js-sizzle nodejs-sig, patches, vondruch Fedora 30 >>> >> I was ranting about js-jquery (and js-sizzle is dependency of js-jquery) >> on this list already several times. I picked it up just to keep it alive >> in whatever state, because bundling it everywhere won't make things >> better. So is there anybody who would like to give it some love? Or >> should I let the packages finally go and let everybody else to bundle >> whatever they want? > > Since the packages are on their way to retirement, I've taken a look. > > 1) I see that most of the build dependencies of js-jquery1/js-jquery2 > are gone. > > 2) I see that all the FTBFS bugs are ASSIGNED without a single > response about a plan to fix the problem. From your emails it seems > the plan was always to "do nothing". > > 3) I see that both jqueries have several moderate CVEs open without a > single response for months. From your "in whatever state" staement it > seems the plan was to never fix those. The packages would need to be > buildable in the first place in order to be able to fix them. > > Arguably, the benefit of having an unbundled dependency is mostly gone > when the library is not maintained at all. It seems safer if other > packages bundle and when they have a CVE open, the maintainers can > evaluate the impact of the problem on their package. Even if 100 > packages bundle jquery and only 10 of them evaluate the impact of CVEs > and/or fix the CVEs in their packages, the situation is better than now. I think this is a bit optimistic POV. I think that in most of the packages, there won't be even "bundled(jquery)" which would let the SRT report the proper trackers. But I hope you are right and I am wrong :) > > So yes, please let the packages go. I will. Vít _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
