On Mon, Oct 15, 2018 at 10:41:25PM +0200, Steinar H. Gunderson wrote:
> On Mon, Oct 15, 2018 at 10:33:11PM +0200, Moritz Muehlenhoff wrote:
> > Ultimately this is up for Michael to decide, as he's dealing with Chromium
> > updates single-handedly.
>
> Agreed.
>
> > Personally I have no reservations against this entering unstable, but this
> > doesn't sound
> > like something that should enter a stable release. If the Chrome
> > development team with
> > it's hundreds of full time developers can't/wont commit to a stable
> > interface for these
> > kinds of extensions, why should we kludge around this with our sparse
> > resources?
>
> I guess the answer is because software wants it. :-)
>
> CEF exists precisely to be an API-stable interface for this; it's unfortunate
> that Chrome doesn't care enough, but CEF is meant to be that layer, and seems
> to be doing pretty well (judging by the amount of software that uses it).
But our current infrastructure for security.debian.org doesn't scale for this
kind of API whack-a-mole. Any update to unbreak CEF after Chromium major
releases
would need to go through the security team and sucks up our time which is more
usefully spend elsewhere.
Realistically, to make this would we'd need $SOMEONE to implement #817285, if
that were in place we could simply push an ACL change and enable you take care
of CEF updates in buster-security on your own.
Cheers,
Moritz
