On Tue, Aug 28, 2018 at 10:44 AM Vít Ondruch <vondr...@redhat.com> wrote:
> > > Dne 28.8.2018 v 15:58 Christopher napsal(a): > > On Tue, Aug 28, 2018 at 8:49 AM Vít Ondruch <vondr...@redhat.com> wrote: > >> >> So this is the email announcing orphaning js-jquery1: >> >> >> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/MI7W7TT3MUGMQTLYZYE5FKXUJCKFUXU7/ >> >> But apparently it is used by more packages then just a few. So is there >> somebody, who would be willing (more than me) to keep the package alive? >> >> >> V. >> >> > Given the security vulnerabilities in jQuery 1 (and 2) and the fact that > upstream dropped them a long time ago, I strongly recommend the packages be > retired than kept alive. Packagers depend on the newer js-jquery (3) > instead, patching as needed. > > > Of course I see your point. Nevertheless, I still believe that it is > better to have the CVEs in one package where they will be eventually fixed > then spread across the whole Fedora bundled in all packages, because I am > quite sure this will be the result of retiring js-jquery1. > > That's fair. > Speaking of the two rubygem- packages from the list: > > 1. rubygem-cucumbe is going to be migrated to the latest jQuery. Anyway, > this is testing framework, so I don't see the old and vulnerable jQuery as > a big deal. > > 2. I opened ticket to migrate rubygem-apipie-rails to the most recent > version of jQuery, but I don't think it is going to happen soon. Also, it > is probably used in some generated documentation, not sure how critical the > old jQuery is. > > And in addition: > > 3. There is jQuery embedded in every rubygem-*-doc package from > rubygem-rdoc. You can use it as and example of bundling. But anyway, this > is again "just" documentation, if used, then typically used just locally > (although somebody might expose the documentation externally). > > V. > > > [1] https://github.com/Apipie/apipie-rails/issues/628 > > > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org >
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org