From: Jérémy Lal <kapo...@melix.org> Sent: 20 February 2025 15:23 To: Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) <syedashagufta.n...@siemens.com> Cc: Jérémy Lal <kapo...@melix.org>; pkg-javascript-devel@alioth-lists.debian.net; Hombourger, Cedric (FT FDS CES LX) <cedric.hombour...@siemens.com>; Kumar, Ritesh (FT FDS CES LX PBU RSOL) <ritesh-ku...@siemens.com>; Koturappa, Hemanth (FT FDS CES LX PBU 2) <hemanth.kotura...@siemens.com>; Prusty, Badrikesh (FT FDS CES LX PBU 2) <badrikesh.pru...@siemens.com> Subject: Re: Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository
I intend to fix them as much as possible, then propose nodejs to stable. There will be a (possibly long) delay in the bookworm-proposed-updates queue, because it depends on a team that has a lot to do already, but eventually it will get into stable. Update on the recent package fixes, We have reported bugs to Debian for both node-node-rsa_1.1.1-4 and node-public-encrypt_4.0.3-1 packages, and merge requests addressing these issues have been raised in their respective repositories. Autopkgtest have been verified with these fixes and have passed successfully on both older(18.19.0+dfsg-6~deb12u2) and newer(18.20.4+dfsg-1~deb12u1) version of Nodejs. Please review the following, node-node-rsa: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099640 node-public-encrypt: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100088 Regarding node-rollup-plugin-sass_1.12.16-1 and node-mutate-fs_2.1.1-2, after re-running the ratt tests, the previously observed issues are no longer present, indicating that these packages are now functioning as expected. The only remaining issue will be with macaulay2_1.21+ds-3 package. Please let me know if you have any questions or require further information. Thanks, Syeda Le jeu. 20 févr. 2025 à 06:58, Naaz, Syeda Shagufta <syedashagufta.n...@siemens.com<mailto:syedashagufta.n...@siemens.com>> a écrit : Hi Jeremy Lal, If I have understood your previous communication correctly, it appears that 1. The tests for the following two packages are failing due to the OpenSSL CVE-2023-46809<https://security-tracker.debian.org/tracker/CVE-2023-46809> fix. However, upon reviewing the patch changes, it seems that this behaviour is expected. The error encountered is a warning to the user about the deprecation of RSA_PKCS1_PADDING for private decryption, with an option to revert the fix if necessary: * node-node-rsa_1.1.1-4 * node-public-encrypt_4.0.3-1 Will it be appropriate to comment out this test? 1. This is part of the Math Team's work, as seen here: Macaulay2<https://salsa.debian.org/math-team/macaulay2>. Considering this, do we really need to address this issue, like how you mentioned the case of dask.distributed_2022.12.1+ds.1-3? * macaulay2_1.21+ds-3 1. These two packages are failing due to issues with pkg-javascript, as mentioned for node-minipass_3.3.6+~cs9.4.19-1. * node-rollup-plugin-sass_1.12.16-1 (dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test) * node-mutate-fs_2.1.1-2 (dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test) Your input will be valuable in helping clarify the next steps for these issues. Best Regards, Syeda Shagufta Naaz Senior Software Developer SIEMENS FT FDS (Foundational Services) From: Jérémy Lal <kapo...@melix.org<mailto:kapo...@melix.org>> Sent: 18 February 2025 05:32 To: Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) <syedashagufta.n...@siemens.com<mailto:syedashagufta.n...@siemens.com>> Cc: pkg-javascript-devel@alioth-lists.debian.net<mailto:pkg-javascript-devel@alioth-lists.debian.net>; Hombourger, Cedric (FT FDS CES LX) <cedric.hombour...@siemens.com<mailto:cedric.hombour...@siemens.com>>; Kumar, Ritesh (FT FDS CES LX PBU RSOL) <ritesh-ku...@siemens.com<mailto:ritesh-ku...@siemens.com>>; Koturappa, Hemanth (FT FDS CES LX PBU 2) <hemanth.kotura...@siemens.com<mailto:hemanth.kotura...@siemens.com>>; Prusty, Badrikesh (FT FDS CES LX PBU 2) <badrikesh.pru...@siemens.com<mailto:badrikesh.pru...@siemens.com>> Subject: Re: Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository Update: Done: node-rollup_3.15.0-1 Done: node-redis_4.5.1+~1.1.2-1 Not a regression of nodejs, but is a pkg-javascript problem so it's Done: node-minipass_3.3.6+~cs9.4.19-1 Not a regression of nodejs, not my problem at all: dask.distributed_2022.12.1+ds.1-3 Not part of bookworm - just ignore: jquery_3.3.1~dfsg-3 Done: node-csstype_3.1.1-1 "Done" means there is a FTBFS bug for that package, and I opened a release.debian.org<http://release.debian.org/> bug containing a diff that fixes the FTBFS bug for that package. Le lun. 17 févr. 2025 à 12:04, Jérémy Lal <kapo...@melix.org<mailto:kapo...@melix.org>> a écrit : Thank you for this helpful work. Yes, since the latest nodejs update to bookworm has been somewhat catastrophic, it is our duty to ensure the next one goes very smoothly for it to be accepted. To sum up, we have this: Those packages fail with nodejs_18.19.0+dfsg-6~deb12u1 and nodejs_18.20.4+dfsg-1~deb12u1 node-rollup_3.15.0-1 node-redis_4.5.1+~1.1.2-1 node-minipass_3.3.6+~cs9.4.19-1 dask.distributed_2022.12.1+ds.1-3 jquery_3.3.1~dfsg-3 node-csstype_3.1.1-1 node-recast_0.21.1-1 node-js-sdsl_4.1.4-2 node-wikibase-cli_15.15.4-4 node-regexpp_3.2.0-4 science.js_1.9.3+dfsg-3 moment-timezone.js_0.5.40+dfsg-1+2023c node-resolve_1.22.1+~cs5.31.10-1 node-jest_29.3.1~ds1+~cs70.48.25-2 node-jschardet_3.0.0+dfsg+~1.4.0-2 node-lib0_0.2.58-1 1 package builds with nodejs_18.20.4+dfsg-1~deb12u1 PASSED: firefox-esr_128.5.0esr-1~deb12u1 5 new failures with nodejs_18.20.4+dfsg-1~deb12u1: node-node-rsa_1.1.1-4 node-rollup-plugin-sass_1.12.16-1 macaulay2_1.21+ds-3 node-public-encrypt_4.0.3-1 node-mutate-fs_2.1.1-2 The goal is to fix them (ensure they build, and their autopkgtest pass for node 18.20.4), then do a reportbug release.debian.org<http://release.debian.org/> to bookworm-pu for each of them, finishing with a bookworm-pu for nodejs 18.20.4. Attention: some of them might already have bookworm-pu bugs opened. Le lun. 17 févr. 2025 à 11:36, Naaz, Syeda Shagufta <syedashagufta.n...@siemens.com<mailto:syedashagufta.n...@siemens.com>> a écrit : Hi Jeremy Lal, Thank you for your earlier email. As per your suggestion, I have attached the RATT test results for Node.js versions 18.19.0 and 18.20.4, covering a total of 1707 packages, along with the build logs for the failed packages. Upon reviewing the results, I noticed the following: * Version 18.19.0 has failures in 18 packages. * firefox-esr_128.5.0esr-1~deb12u1: this package failed in version 18.19.0 but passed in version 18.20.4. * Version 18.20.4 has failures in 22 packages, of which 5 are additional compared to v18.19.0: * node-public-encrypt_4.0.3-1 (failure in dh_auto_test) * node-node-rsa_1.1.1-4 (failure in dh_auto_test) * node-rollup-plugin-sass_1.12.16-1 (failure in dh_auto_test) * macaulay2_1.21+ds-3 (failure in dh_auto_build) * node-mutate-fs_2.1.1-2 (failure in dh_auto_test) I also noticed that the first two packages are failing due to the Openssl CVE fix for CVE-2023-46809<https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads#L20> . Could the additional failures in version 18.20.4 be the reason the update has not yet been implemented? I would appreciate your insights on this matter. Please let me know your thoughts. Best Regards, Syeda Shagufta Naaz Senior Software Developer SIEMENS FT FDS (Foundational Services) From: Jérémy Lal <kapo...@melix.org<mailto:kapo...@melix.org>> Sent: 07 February 2025 16:31 To: Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) <syedashagufta.n...@siemens.com<mailto:syedashagufta.n...@siemens.com>> Cc: pkg-javascript-devel@alioth-lists.debian.net<mailto:pkg-javascript-devel@alioth-lists.debian.net>; Hombourger, Cedric (FT FDS CES LX) <cedric.hombour...@siemens.com<mailto:cedric.hombour...@siemens.com>>; Kumar, Ritesh (FT FDS CES LX PBU RSOL) <ritesh-ku...@siemens.com<mailto:ritesh-ku...@siemens.com>>; Koturappa, Hemanth (FT FDS CES LX PBU 2) <hemanth.kotura...@siemens.com<mailto:hemanth.kotura...@siemens.com>>; Prusty, Badrikesh (FT FDS CES LX PBU 2) <badrikesh.pru...@siemens.com<mailto:badrikesh.pru...@siemens.com>> Subject: Re: Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository Also note that debian/trixie will have a version of nodejs that uses even more external dependencies, with a source tarball excluding the externalized dependencies, which will make the process of doing security uploads easier for everyone. Le ven. 7 févr. 2025 à 11:59, Jérémy Lal <kapo...@melix.org<mailto:kapo...@melix.org>> a écrit : Security uploads take a lot of work to ensure all reverse (build-)dependencies of a package build and pass their test suite successfully. For that last upload, I in particular, lost track of time. To help me, one can redo those verifications, and then, once several packages failing to rebuild have been identified, they must be fixed, proposed to bookworm, and once they are all accepted, that version of nodejs can be proposed to bookworm too. Le ven. 7 févr. 2025 à 11:04, Naaz, Syeda Shagufta <syedashagufta.n...@siemens.com<mailto:syedashagufta.n...@siemens.com>> a écrit : Package: nodejs Version: 18.19.0+dfsg-6~deb12u2 Severity: critical Dear Debian Community, We are currently working with the Debian Bookworm<https://packages.debian.org/bookworm/nodejs> 12.9 release for our project and observed that the nodejs version is 18.19.0+dfsg-6~deb12u2. However, upon reviewing the salsa-debian/bookworm<https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads> branch, we noticed that version 18.20.4+dfsg-1~deb12u1 is available, which includes fixes for multiple CVE issues, such as, * CVE-2024-27983<https://security-tracker.debian.org/tracker/CVE-2024-27983> (8.2 HIGH) * CVE-2024-21892<https://security-tracker.debian.org/tracker/CVE-2024-21892> (7.5 HIGH) * CVE-2024-22019<https://security-tracker.debian.org/tracker/CVE-2024-22019> (7.5 HIGH) These fixes are not included in the current Bookworm release. Having the severity of some of these vulnerabilities as High, we are eager for these fixes to be available. Could you please help clarify why there is a discrepancy between the version in the Bookworm release and the one on salsa? Is there a any specific reason for the delay and, is there any fixed timeline for resolving this? I appreciate your time and guidance on this matter. Best Regards, Syeda Shagufta Naaz Senior Software Developer SIEMENS FT FDS (Foundational Services)
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
