Vít Ondruch wrote:
Dne 28.8.2018 v 15:58 Christopher napsal(a):
> Given the security vulnerabilities in jQuery 1 (and 2) and the fact
> that upstream dropped them a long time ago, I strongly recommend the
> packages be retired than kept alive. Packagers depend on the newer
> js-jquery (3) instead, patching as needed.
Of course I see your point. Nevertheless, I still believe that it is
better to have the CVEs in one package where they will be eventually
fixed then spread across the whole Fedora bundled in all packages,
because I am quite sure this will be the result of retiring js-jquery1.
What reason do you have to believe that the security holes in Jquery 1
will eventually be fixed, if upstream has abandoned it in favor of
Jquery 3?
Note also that insecure packages will be forcibly removed per Fesco
decision just this week:
https://pagure.io/fesco/issue/1935
You'd have to obtain some kind of exemption from that policy if you
want to keep an insecure Jquery 1 around indefinitely.
Björn Persson