Hi, On Wed, 8 Jul 2020, 19:30 Jonas Smedegaard, <jo...@jones.dk> wrote:
> Quoting mer...@debian.org (2020-07-08 15:13:06) > > The upstream has updated the libsass support to 3.6.3 [1], it's just > > not released yet. I have successfully used head of their git > > repository to build node-node-sass without the embedded libsass copy > > (there were a couple of failing mocha tests, however). > @Andrius: Thanks a lot for your work on this :-) > Thanks for looking into this issue! > > Please strongly consider to not only make the package link with > system-shared libsass, but also repackage upstream tarball with embedded > code copy removed, to ensure not accidentally using that code (and to > lighten the size of what gets distributed in Debian and simplify > copyright tracking and ease security tracking). @Jonas: I considered the same approach after the first source-only-upload was done. However, it might so happen that going forward the version of sass is updated to a newer upstream, and Debian adapts to that particular release, but the node-sass upstream might only have support for libsass 3.6.3 - considering that upstream of node-node-sass is slower to adapt to changes. This would cause node-node-sass to FTBFS. Hence, I wish to keep the embedded copy of libsass if such a situation arises. The package built with the libsass in the archive earlier - when it started to FTBFS, a flag was appended for it to build with the embedded version of libsass. On reverting the commit[1], it'd again start building with the libsass in the archive. I'd wish to keep the same approach. _Please let me know_ if this doesn't sound good to you and if you'd prefer embedded libsass to be stripped entirely. [1]: https://salsa.debian.org/js-team/node-node-sass/-/commit/bb9e5ede14253ecc02140f9a5e946b580afed3d4 Kind Regards, Nilesh