Web lists-archives.com

Re: concerns about Salsa

On Mon, Jun 4, 2018 at 6:29 PM, Dmitry Smirnov wrote:

> IMHO we should have been working on improving GitLab package in order to make
> is suitable for Salsa if it is not suitable already. What are the blockers?

In my opinion the biggest blocker is that, the node.js ecosystem is
not security supported by Debian because of libv8 not being security
supported. In addition, there is no-one in Debian tracking
vulnerabilities in the node.js ecosystem reported by NodeSecurity and
importing the issues into the Debian security tracker. I used to do
this occasionally to see how many issues we were ignoring but it needs
to be done in a systematic way by people interested in JavaScript
security. The biggest problem with this is that a lot of NodeSecurity
reported issues do not get a CVE, this seems to be improving though.
After that, the ones that did get a CVE were either still reserved
with no info or in 'check' mode and needed to be classed as not-for-us
or applying to a certain Debian package.


I have no idea how that compares with the security support provided by
GitLab upstream though.