[ledgersmb-devel] Re: Processed: severity of 1027472 is grave

Hi Moritz,

Thanks you for raising the point and offering help. The security issues that upstream mentions are affecting 1.6 have not been released as fixes by the project, but I *have* backported them to the 1.6 Debian package; so, as far as I am currently aware, the 1.6 Debian packaged LedgerSMB is no more insecure than the one(s) that are being released in newer minor branches.

That said, I may need some guidance indeed: newer LedgerSMB versions have started using Vue as the web UI. This means that the strategy for the _javascript_ dependencies used with 1.6 ("remove Dojo from the tarball and depend on Debian's") no longer works: there's a (rather extensive) build process required to generate the _javascript_ assets. Similar to how Go dependencies are handled: the assets need to be rebuilt when a security fix is published for the dependencies. From my reading, the Debian ecosystem isn't well equipped to deal with the way Go (and _javascript_) handles its dependencies.

Now for my guidance: I haven't been able to find clear policy as to what Debian considers correct packaging procedure. Could you please direct me to a document or person able to coach me through what I'm supposed to do to make this work?

Thanks!

On Thu, Oct 31, 2024 at 2:54 PM Debian Bug Tracking System <..hidden..> wrote:

Processing commands for ..hidden..:

> severity 1027472 grave
Bug #1027472 [src:ledgersmb] ledgersmb: upstram says 1.6 is unsupported and insecure. Newer upstream version 1.10 available
Severity set to 'grave' from 'normal'
> thanks
Stopping processing here.

Please contact me if you need assistance.
--
1027472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027472
Debian Bug Tracking System
Contact ..hidden.. with problems
_______________________________________________
devel mailing list -- ..hidden..
To unsubscribe send an email to ..hidden..