1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL.RELEAS

  • Re: Potential MBF: Migration from twitter-bootstrap{3,4} to bootstrap-h

    From Santiago Ruano =?iso-8859-1?Q?Rinc=@21:1/5 to All on Mon Feb 3 23:50:01 2025
    Dear all,

    El 20/11/24 a las 12:19, Santiago Ruano Rinc�n escribi�:
    Dear fellow developers,

    (Sorry for any duplicate. I've tried to send a first mail to
    debian-devel, but it hadn't reached the list. So I am sending a more
    compact version of my previous message.)

    A little bit more of context can be found at: https://alioth-lists.debian.net/pipermail/pkg-javascript-devel/2024-October/081589.html
    and:
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084059#5,

    I would like to discuss a mass bug filling for packages {,build-}
    depending on twitter-bootstrap3 or twitter-bootstrap4, that have been
    EOL'ed by upstream. The security support for bootstrap 3 and 4 has some challenges, and it would be great if the packages depending on them
    could migrate to bootstrap 5.

    However, bootstrap 5 is not just a drop-in replacement, and some
    patching at upstream level may be needed. It is probably too late for
    trixie. A more realistic target would be trixie+1. In any case, from the security support PoV, the higher the number of packages have moved to bootstrap5 for trixie, the better.

    The list of concerned reverse dependencies and their maintainers, for
    the two different versions, can be found here attached. For simplicity,
    this time I've included the first level of reverse dependencies only.

    [snip]

    You may be probably be aware that I filled the bootstrap v5
    migration-related bugs, that can be listed with: https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=bootstrap-v5-migration;[email protected]

    Do you believe their severity could be increased? If yes, to important,
    to grave?

    It would be great to get rid of the dependencies on those unmaintained bootstrap versions, whose outstanding (minor-severity) CVEs are
    difficult to get fixed, and it will be the case for any future issue. https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap3 https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap4

    The time for fixing all of those dependencies is probably too short for
    trixie. But I would bring it for discussion.

    Any thoughts?

    Cheers,

    -- Santiago

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCZ6FH3AAKCRAn3j1FEEiG 7+BLAPsEGWSc7HbwQEC+triOPy7p8UxFU+lV/ksGW0Ho7jSeAAD/VNK1itkYIdlm EnZ1UrAGR3o7EyHlDZkXIWL3bjEIeQU=
    =DQee
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Gevers@21:1/5 to All on Thu Feb 6 09:30:01 2025
    To: [email protected] (=?UTF-8?Q?Santiago_Ruano_Rinc=C3=B3n?=)
    Copy: [email protected] (Daniel Baumann)
    Copy: [email protected] (Debian Javascript Maintainers)
    Copy: [email protected]

    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------pLoFvDNH0Bi0j4dkti1qhrw3
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

    SGkgU2VjdXJpdHkgdGVhbSwgU2FudGlhZ28sDQoNCk9uIDAzLTAyLTIwMjUgMjM6NDksIFNh bnRpYWdvIFJ1YW5vIFJpbmPDs24gd3JvdGU6DQo+IFlvdSBtYXkgYmUgcHJvYmFibHkgYmUg YXdhcmUgdGhhdCBJIGZpbGxlZCB0aGUgYm9vdHN0cmFwIHY1DQo+IG1pZ3JhdGlvbi1yZWxh dGVkIGJ1Z3MsIHRoYXQgY2FuIGJlIGxpc3RlZCB3aXRoOg0KPiBodHRwczovL2J1Z3MuZGVi aWFuLm9yZy9jZ2ktYmluL3BrZ3JlcG9ydC5jZ2k/dGFnPWJvb3RzdHJhcC12NS1taWdyYXRp b247dXNlcnM9ZGViaWFuLWx0c0BsaXN0cy5kZWJpYW4ub3JnDQo+IA0KPiBEbyB5b3UgYmVs aWV2ZSB0aGVpciBzZXZlcml0eSBjb3VsZCBiZSBpbmNyZWFzZWQ/IElmIHllcywgdG8gaW1w b3J0YW50LA0KPiB0byBncmF2ZT8NCj4gDQo+IEl0IHdvdWxkIGJlIGdyZWF0IHRvIGdldCBy aWQgb2YgdGhlIGRlcGVuZGVuY2llcyBvbiB0aG9zZSB1bm1haW50YWluZWQNCj4gYm9vdHN0 cmFwIHZlcnNpb25zLCB3aG9zZSBvdXRzdGFuZGluZyAobWlub3Itc2V2ZXJpdHkpIENWRXMg YXJlDQo+IGRpZmZpY3VsdCB0byBnZXQgZml4ZWQsIGFuZCBpdCB3aWxsIGJlIHRoZSBjYXNl IGZvciBhbnkgZnV0dXJlIGlzc3VlLg0KPiBodHRwczovL3NlY3VyaXR5LXRyYWNrZXIuZGVi aWFuLm9yZy90cmFja2VyL3NvdXJjZS1wYWNrYWdlL3R3aXR0ZXItYm9vdHN0cmFwMw0KPiBo dHRwczovL3NlY3VyaXR5LXRyYWNrZXIuZGViaWFuLm9yZy90cmFja2VyL3NvdXJjZS1wYWNr YWdlL3R3aXR0ZXItYm9vdHN0cmFwNA0KPiANCj4gVGhlIHRpbWUgZm9yIGZpeGluZyBhbGwg b2YgdGhvc2UgZGVwZW5kZW5jaWVzIGlzIHByb2JhYmx5IHRvbyBzaG9ydCBmb3INCj4gdHJp eGllLiBCdXQgSSB3b3VsZCBicmluZyBpdCBmb3IgZGlzY3Vzc2lvbi4NCg0KQFNhbnRpYWdv LCBhcmUgdGhlcmUga2V5IHBhY2thZ2VzIGludm9sdmVkIGluIHRoaXM/IElmIHNvLCB3aGlj aD8NCg0KV2hhdCdzIHRoZSBvcGluaW9uIG9mIHRoZSBzZWN1cml0eSB0ZWFtIG9uIHRoaXM/ IEkgd2FudCB0byBmb2xsb3cgeW91ciANCmxlYWQgaGVyZS4gSWYgeW91IHRoaW5rIGl0J3Mg YmV0dGVyIGZyb20gYSBzZWN1cml0eSBzdGFuZHBvaW50IHRvIG5vdCANCmhhdmUgdGhpcyBp biB0cml4aWUsIEknbSBmaW5lIHdpdGggcmFpc2luZyBzZXZlcml0eSBub3cgKGFzc3VtaW5n IG5vIGtleSANCnBhY2thZ2VzIGFyZSBpbnZvbHZlZCkuDQoNClBhdWwNCg0K

    --------------pLoFvDNH0Bi0j4dkti1qhrw3--

    -----BEGIN PGP SIGNATURE-----

    wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmekcRoFAwAAAAAACgkQnFyZ6wW9dQpp 4Qf/ZPTQZc7fphM3jSqkMkhH55RnE9L3b/E0yYwjbV+444h7nFpBs3jGmM/nByeySDFO/tOeB9ns 4euCK7FrkmF9J8ffCTf7hMUgUQ3ZiR77Xr8bhouT9ERuM4dSVnygcu2BHEF9U72MhaDUEzTilDFN 2cnAd8VnUUWcmMQZXK9CrqeUQgCtcjE6vvY5NMXovLqd3Yqtq0+VATTLGxhhOPQxvMmqlgrYvBwQ 1JBNYqjNiCb2p6bsERSkftIxODz0BlPWl1j9Ys5x45hyNKOwTfN92/LBRkfMLXDEQFazDx2usT6e SMM/sRbgNM9Qpn6RmtsDPe2wV2DxoccspY/zgcGXrA==
    =KuI3
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sebastian Ramacher@21:1/5 to Emilio Pozuelo Monfort on Fri Feb 7 12:20:01 2025
    On 2025-02-07 10:47:15 +0100, Emilio Pozuelo Monfort wrote:
    On 06/02/2025 09:21, Paul Gevers wrote:
    Hi Security team, Santiago,

    On 03-02-2025 23:49, Santiago Ruano Rincón wrote:
    You may be probably be aware that I filled the bootstrap v5 migration-related bugs, that can be listed with: https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=bootstrap-v5- migration;users=[email protected]

    Do you believe their severity could be increased? If yes, to important, to grave?

    It would be great to get rid of the dependencies on those unmaintained bootstrap versions, whose outstanding (minor-severity) CVEs are
    difficult to get fixed, and it will be the case for any future issue. https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap3
    https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap4

    The time for fixing all of those dependencies is probably too short for trixie. But I would bring it for discussion.

    @Santiago, are there key packages involved in this? If so, which?

    What's the opinion of the security team on this? I want to follow your
    lead here. If you think it's better from a security standpoint to not
    have this in trixie, I'm fine with raising severity now (assuming no key packages are involved).

    I checked for twitter-bootstrap3 and there are 77 (build-)rdeps in testing, of which 7 are key packages:

    ffmpeg

    The use of twitter-bootstrap3 for ffmpeg is for an offline
    documentation. I don't see any security issue with that.

    Cheers

    fmtlib
    guzzle-sphinx-theme
    jupyter-server
    libevdev
    pydoctor
    ruby-sidekiq

    I haven't checked twitter-bootstrap4.

    Cheers,
    Emilio


    --
    Sebastian Ramacher

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)