I intend to fix them as much as possible, then propose nodejs to stable. There will be a (possibly long) delay in the bookworm-proposed-updates queue, because it depends on a team that has a lot to do already, but eventually it will get into stable.
Le jeu. 20 févr. 2025 à 06:58, Naaz, Syeda Shagufta < syedashagufta.n...@siemens.com> a écrit : > Hi Jeremy Lal, > > > > If I have understood your previous communication correctly, it appears that > > 1. The tests for the following two packages are failing due to the > OpenSSL CVE-2023-46809 > <https://security-tracker.debian.org/tracker/CVE-2023-46809> fix. > However, upon reviewing the patch changes, it seems that this behaviour is > expected. The error encountered is a warning to the user about the > deprecation of RSA_PKCS1_PADDING for private decryption, with an option to > revert the fix if necessary: > > > - node-node-rsa_1.1.1-4 > - node-public-encrypt_4.0.3-1 > > Will it be appropriate to comment out this test? > > > > 2. This is part of the Math Team’s work, as seen here: Macaulay2 > <https://salsa.debian.org/math-team/macaulay2>. Considering this, do > we really need to address this issue, like how you mentioned the case of > *dask.distributed_2022.12.1+ds.1-3*? > > > - macaulay2_1.21+ds-3 > > > > 3. These two packages are failing due to issues with pkg-javascript, > as mentioned for *node-minipass_3.3.6+~cs9.4.19-1.* > > > - node-rollup-plugin-sass_1.12.16-1 (dh_auto_test: error: /bin/sh -ex > debian/tests/pkg-js/test) > - node-mutate-fs_2.1.1-2 (dh_auto_test: error: /bin/sh -ex > debian/tests/pkg-js/test) > > > > Your input will be valuable in helping clarify the next steps for these > issues. > > > > Best Regards, > > Syeda Shagufta Naaz > > > > Senior Software Developer > > *SIEMENS* *FT FDS (Foundational Services)* > > > > *From:* Jérémy Lal <kapo...@melix.org> > *Sent:* 18 February 2025 05:32 > *To:* Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) < > syedashagufta.n...@siemens.com> > *Cc:* pkg-javascript-devel@alioth-lists.debian.net; Hombourger, Cedric > (FT FDS CES LX) <cedric.hombour...@siemens.com>; Kumar, Ritesh (FT FDS > CES LX PBU RSOL) <ritesh-ku...@siemens.com>; Koturappa, Hemanth (FT FDS > CES LX PBU 2) <hemanth.kotura...@siemens.com>; Prusty, Badrikesh (FT FDS > CES LX PBU 2) <badrikesh.pru...@siemens.com> > *Subject:* Re: Discrepancy in nodejs version in Debian Bookworm vs. Salsa > Debian repository > > > > Update: > > > > Done: node-rollup_3.15.0-1 > Done: node-redis_4.5.1+~1.1.2-1 > Not a regression of nodejs, but is a pkg-javascript problem so it's Done: > node-minipass_3.3.6+~cs9.4.19-1 > Not a regression of nodejs, not my problem at all: > dask.distributed_2022.12.1+ds.1-3 > Not part of bookworm - just ignore: jquery_3.3.1~dfsg-3 > Done: node-csstype_3.1.1-1 > > > > "Done" means there is a FTBFS bug for that package, > > and I opened a release.debian.org bug containing a diff that fixes the > FTBFS bug for that package. > > > > Le lun. 17 févr. 2025 à 12:04, Jérémy Lal <kapo...@melix.org> a écrit : > > Thank you for this helpful work. > > Yes, since the latest nodejs update to bookworm has been somewhat > catastrophic, > > it is our duty to ensure the next one goes very smoothly for it to be > accepted. > > > > To sum up, we have this: > > > > Those packages fail with nodejs_18.19.0+dfsg-6~deb12u1 and > nodejs_18.20.4+dfsg-1~deb12u1 > node-rollup_3.15.0-1 > node-redis_4.5.1+~1.1.2-1 > node-minipass_3.3.6+~cs9.4.19-1 > dask.distributed_2022.12.1+ds.1-3 > jquery_3.3.1~dfsg-3 > node-csstype_3.1.1-1 > node-recast_0.21.1-1 > node-js-sdsl_4.1.4-2 > node-wikibase-cli_15.15.4-4 > node-regexpp_3.2.0-4 > science.js_1.9.3+dfsg-3 > moment-timezone.js_0.5.40+dfsg-1+2023c > node-resolve_1.22.1+~cs5.31.10-1 > node-jest_29.3.1~ds1+~cs70.48.25-2 > node-jschardet_3.0.0+dfsg+~1.4.0-2 > node-lib0_0.2.58-1 > > 1 package builds with nodejs_18.20.4+dfsg-1~deb12u1 > PASSED: firefox-esr_128.5.0esr-1~deb12u1 > > 5 new failures with nodejs_18.20.4+dfsg-1~deb12u1: > node-node-rsa_1.1.1-4 > node-rollup-plugin-sass_1.12.16-1 > macaulay2_1.21+ds-3 > node-public-encrypt_4.0.3-1 > node-mutate-fs_2.1.1-2 > > > > The goal is to fix them (ensure they build, and their autopkgtest pass for > node 18.20.4), then do a reportbug release.debian.org > > to bookworm-pu for each of them, finishing with a bookworm-pu for nodejs > 18.20.4. > > Attention: some of them might already have bookworm-pu bugs opened. > > > > > > > > Le lun. 17 févr. 2025 à 11:36, Naaz, Syeda Shagufta < > syedashagufta.n...@siemens.com> a écrit : > > Hi Jeremy Lal, > > > > Thank you for your earlier email. > > > > As per your suggestion, I have attached the RATT test results for Node.js > versions 18.19.0 and 18.20.4, covering a total of 1707 packages, along with > the build logs for the failed packages. > > > > Upon reviewing the results, I noticed the following: > > - Version 18.19.0 has failures in *18* packages. > > > 1. firefox-esr_128.5.0esr-1~deb12u1: this package failed in version > 18.19.0 but passed in version 18.20.4. > > > - Version 18.20.4 has failures in *22* packages, of which 5 are > additional compared to v18.19.0: > > > 1. node-public-encrypt_4.0.3-1 (failure in dh_auto_test) > 2. node-node-rsa_1.1.1-4 (failure in dh_auto_test) > 3. node-rollup-plugin-sass_1.12.16-1 (failure in dh_auto_test) > 4. macaulay2_1.21+ds-3 (failure in dh_auto_build) > 5. node-mutate-fs_2.1.1-2 (failure in dh_auto_test) > > I also noticed that the first two packages are failing due to the Openssl > CVE fix for CVE-2023-46809 > <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads#L20> > . > > > > Could the additional failures in version 18.20.4 be the reason the update > has not yet been implemented? > > I would appreciate your insights on this matter. Please let me know your > thoughts. > > Best Regards, > > Syeda Shagufta Naaz > > > > Senior Software Developer > > *SIEMENS* *FT FDS (Foundational Services)* > > > > > > > > *From:* Jérémy Lal <kapo...@melix.org> > *Sent:* 07 February 2025 16:31 > *To:* Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) < > syedashagufta.n...@siemens.com> > *Cc:* pkg-javascript-devel@alioth-lists.debian.net; Hombourger, Cedric > (FT FDS CES LX) <cedric.hombour...@siemens.com>; Kumar, Ritesh (FT FDS > CES LX PBU RSOL) <ritesh-ku...@siemens.com>; Koturappa, Hemanth (FT FDS > CES LX PBU 2) <hemanth.kotura...@siemens.com>; Prusty, Badrikesh (FT FDS > CES LX PBU 2) <badrikesh.pru...@siemens.com> > *Subject:* Re: Discrepancy in nodejs version in Debian Bookworm vs. Salsa > Debian repository > > > > Also note that debian/trixie will have a version of nodejs that uses even > more external dependencies, > > with a source tarball excluding the externalized dependencies, which will > make the process of doing security uploads easier for everyone. > > > > Le ven. 7 févr. 2025 à 11:59, Jérémy Lal <kapo...@melix.org> a écrit : > > Security uploads take a lot of work to ensure all reverse > (build-)dependencies of a package build and pass their test suite > successfully. > > For that last upload, I in particular, lost track of time. > > To help me, one can redo those verifications, and then, once several > packages failing to rebuild have been identified, > > they must be fixed, proposed to bookworm, and once they are all accepted, > that version of nodejs can be proposed to bookworm too. > > > > > > Le ven. 7 févr. 2025 à 11:04, Naaz, Syeda Shagufta < > syedashagufta.n...@siemens.com> a écrit : > > Package: nodejs > > Version: 18.19.0+dfsg-6~deb12u2 > > Severity: critical > > > > Dear Debian Community, > > > > We are currently working with the Debian Bookworm > <https://packages.debian.org/bookworm/nodejs> 12.9 release for our > project and observed that the nodejs version is *18.19.0+dfsg-6~deb12u2*. > > > > However, upon reviewing the salsa-debian/bookworm > <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads> > branch, we noticed that version *18.20.4+dfsg-1~deb12u1 *is available, > which includes fixes for multiple CVE issues, such as, > > - CVE-2024-27983 > <https://security-tracker.debian.org/tracker/CVE-2024-27983> (*8.2 > HIGH*) > - CVE-2024-21892 > <https://security-tracker.debian.org/tracker/CVE-2024-21892> (*7.5 > HIGH*) > - CVE-2024-22019 > <https://security-tracker.debian.org/tracker/CVE-2024-22019> (*7.5 > HIGH*) > > These fixes are not included in the current Bookworm release. Having the > severity of some of these vulnerabilities as High, we are eager for these > fixes to be available. > > > > Could you please help clarify why there is a discrepancy between the > version in the Bookworm release and the one on salsa? Is there a any > specific reason for the delay and, is there any fixed timeline for > resolving this? > > > > I appreciate your time and guidance on this matter. > > > > Best Regards, > > Syeda Shagufta Naaz > > Senior Software Developer > > *SIEMENS* *FT FDS (Foundational Services)* > >
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
