Discussion:
Bug#1086740: lintian: [lintian] Please warn about obsolete twitter-bootstrap{3,4} {,build}-dependencies
Add Reply
Santiago Ruano Rincón
2024-11-05 05:50:01 UTC
Reply
Permalink
Source: lintian
Version: 2.120.0
Severity: wishlist
X-Debbugs-Cc: Debian Pan Maintainers <pkg-javascript-***@alioth-lists.debian.net>, Yadd <***@debian.org>, Daniel Baumann <***@progress-linux.org>

Dear lintian maintainers,

I would like to request a lintian tag to make package maintainers aware
of the obsolescence of twitter-bootstrap3 and twitter-bootstrap4.
These two packages are EOL'ed upstream, there are a couple of CVE open
for them, and upstream is not publicly proposing fixes.
I agree with the comment by Moritz
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084059#5) that
packages should move their dependencies to boostrap 5
(src:bootstrap-html), which is the current version supported upstream.

AFAIU, bootstrap 5 is not just a drop-in replacement, and so there is
work on the upstream side. To guide package maintainers and upstream
developers, lintian could include the following links in the tag info:

https://getbootstrap.com/docs/5.3/migration/
https://getbootstrap.com/docs/4.6/migration/

I am planing to discuss a mass-bug-filling in debian-devel too, but a
lintian tag would help anyway, especially for packages adding a new
dependency on the two old bootstrap versions.

Any thoughts?

Cheers,

-- Santiago
Louis-Philippe Véronneau
2024-11-05 15:30:01 UTC
Reply
Permalink
Post by Santiago Ruano Rincón
Source: lintian
Version: 2.120.0
Severity: wishlist
Dear lintian maintainers,
I would like to request a lintian tag to make package maintainers aware
of the obsolescence of twitter-bootstrap3 and twitter-bootstrap4.
These two packages are EOL'ed upstream, there are a couple of CVE open
for them, and upstream is not publicly proposing fixes.
I agree with the comment by Moritz
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084059#5) that
packages should move their dependencies to boostrap 5
(src:bootstrap-html), which is the current version supported upstream.
AFAIU, bootstrap 5 is not just a drop-in replacement, and so there is
work on the upstream side. To guide package maintainers and upstream
https://getbootstrap.com/docs/5.3/migration/
https://getbootstrap.com/docs/4.6/migration/
I am planing to discuss a mass-bug-filling in debian-devel too, but a
lintian tag would help anyway, especially for packages adding a new
dependency on the two old bootstrap versions.
Any thoughts?
Cheers,
-- Santiago
Hi,

That seems like an interesting tag. Sadly, I doubt the Lintian
maintainers team will have time to look into this in a reasonable
timeframe, as we have a pretty large backlog.

If you wish to try implementing the tag yourself, I'll be happy to
review a Merge Request on the lintian repository.

Cheers,
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
⢿⡄⠘⠷⠚⠋ ***@debian.org / veronneau.org
⠈⠳⣄
Santiago Ruano Rincón
2024-11-05 21:00:01 UTC
Reply
Permalink
[snip]
That seems like an interesting tag. Sadly, I doubt the Lintian maintainers
team will have time to look into this in a reasonable timeframe, as we have
a pretty large backlog.
Fully understandable, of course!
If you wish to try implementing the tag yourself, I'll be happy to review a
Merge Request on the lintian repository.
Yeah, I didn't propose that in my initial mail, since I am not super
fluent in perl, but I will do my best.

Thanks,

-- S
Santiago Ruano Rincón
2024-11-06 20:00:01 UTC
Reply
Permalink
Post by Santiago Ruano Rincón
[snip]
That seems like an interesting tag. Sadly, I doubt the Lintian maintainers
team will have time to look into this in a reasonable timeframe, as we have
a pretty large backlog.
Fully understandable, of course!
If you wish to try implementing the tag yourself, I'll be happy to review a
Merge Request on the lintian repository.
Yeah, I didn't propose that in my initial mail, since I am not super
fluent in perl, but I will do my best.
Done: https://salsa.debian.org/lintian/lintian/-/merge_requests/544

Hopefully I didn't made some many stupidities.

Cheers,

-- Santiago

Loading...