Dne 26. 07. 20 v 13:44 Miro Hrončok napsal(a):
On 29. 06. 20 17:49, Vít Ondruch wrote:
> Dne 29. 06. 20 v 17:21 Miro Hrončok napsal(a):
>> js-jquery1 nodejs-sig, patches, vondruch Fedora 30
>> js-jquery2 vondruch Fedora 30
>> js-sizzle nodejs-sig, patches, vondruch Fedora 30
>>
> I was ranting about js-jquery (and js-sizzle is dependency of js-jquery)
> on this list already several times. I picked it up just to keep it alive
> in whatever state, because bundling it everywhere won't make things
> better. So is there anybody who would like to give it some love? Or
> should I let the packages finally go and let everybody else to bundle
> whatever they want?
Since the packages are on their way to retirement, I've taken a look.
1) I see that most of the build dependencies of js-jquery1/js-jquery2
are gone.
2) I see that all the FTBFS bugs are ASSIGNED without a single
response about a plan to fix the problem. From your emails it seems
the plan was always to "do nothing".
3) I see that both jqueries have several moderate CVEs open without a
single response for months. From your "in whatever state" staement it
seems the plan was to never fix those. The packages would need to be
buildable in the first place in order to be able to fix them.
Arguably, the benefit of having an unbundled dependency is mostly gone
when the library is not maintained at all. It seems safer if other
packages bundle and when they have a CVE open, the maintainers can
evaluate the impact of the problem on their package. Even if 100
packages bundle jquery and only 10 of them evaluate the impact of CVEs
and/or fix the CVEs in their packages, the situation is better than now.
I think this is a bit optimistic POV. I think that in most of the
packages, there won't be even "bundled(jquery)" which would let the SRT
report the proper trackers. But I hope you are right and I am wrong :)
So yes, please let the packages go.
I will.
Vít