Vít Ondruch wrote:
Dne 28.8.2018 v 15:58 Christopher napsal(a):
Given the security vulnerabilities in jQuery 1 (and 2) and the fact that upstream dropped them a long time ago, I strongly recommend the packages be retired than kept alive. Packagers depend on the newer js-jquery (3) instead, patching as needed.
Of course I see your point. Nevertheless, I still believe that it is better to have the CVEs in one package where they will be eventually fixed then spread across the whole Fedora bundled in all packages, because I am quite sure this will be the result of retiring js-jquery1.
What reason do you have to believe that the security holes in Jquery 1 will eventually be fixed, if upstream has abandoned it in favor of Jquery 3?
Note also that insecure packages will be forcibly removed per Fesco decision just this week: https://pagure.io/fesco/issue/1935
You'd have to obtain some kind of exemption from that policy if you want to keep an insecure Jquery 1 around indefinitely.
Björn Persson