Daniel Kahn Gillmor
2011-Oct-13 19:22 UTC
[Secure-testing-team] Bug#645231: trac: python upgrade leads to inaccessible jquery.js
On 10/13/2011 02:24 PM, Jakub Wilk wrote:> * Daniel Kahn Gillmor <dkg at fifthhorseman.net>, 2011-10-13, 13:38: >> Thanks for packaging trac for debian, and for relying on the system >> copy of jquery rather than on an embedded code copy. > > Then you probably won''t be happy to find out that the version in sid > uses the embedded copy.hmm, the changelog says: * Drop 15_remove_jquery_file.dpatch because Trac requires a specific version of jQuery (Closes: #592734, #610557) (LP: #526810, #610205). If a specific version is required, the trac debian package should have an explicit versioned dependency. Embedding a copy of another software package is bad news from a security and maintenance perspective. I''m CC''ing the folks tracking embedded code copies [0] here so they''re aware of this new issue. Regards, --dkg [0] https://wiki.debian.org/EmbeddedCodeCopies -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111013/c2f7df57/attachment.pgp>
Yves-Alexis Perez
2011-Oct-14 07:22 UTC
[Secure-testing-team] Bug#645231: trac: python upgrade leads to inaccessible jquery.js
On jeu., 2011-10-13 at 15:22 -0400, Daniel Kahn Gillmor wrote:> I''m CC''ing the folks tracking embedded code copies [0] here so they''re > aware of this new issue.Thanks, I''ve added this to the list in secure-testing repository. Is there a bug tracking that? Regards, -- Yves-Alexis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111014/be888af2/attachment.pgp>
Daniel Kahn Gillmor
2011-Oct-14 16:07 UTC
[Secure-testing-team] Bug#645231: trac: python upgrade leads to inaccessible jquery.js
On 10/14/2011 03:22 AM, Yves-Alexis Perez wrote:> On jeu., 2011-10-13 at 15:22 -0400, Daniel Kahn Gillmor wrote: >> I''m CC''ing the folks tracking embedded code copies [0] here so they''re >> aware of this new issue. > > Thanks, I''ve added this to the list in secure-testing repository. Is > there a bug tracking that?there is now: #645339 Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111014/9f8a15d2/attachment.pgp>