Activity log for bug #2003831

Date Who What changed Old value New value Message
2023-01-25 01:45:07 Bryce Harrington bug added bug
2023-01-25 01:45:27 Bryce Harrington bug task added node-trust-webcrypto (Ubuntu)
2023-01-25 01:47:47 Bryce Harrington description node-trust-webcrypto and node-solid-keychain block the nodejs transition. node-trust-webcrypto is a dependency of node-solid-keychain, but nothing else appears to depend on them in lunar: $ apt-cache rdepends node-trust-webcrypto node-trust-webcrypto Reverse Depends: node-solid-keychain $ apt-cache rdepends node-solid-keychain node-solid-keychain Reverse Depends: Both of these are also failing Debian CI, with the same errors in test logs. Neither of these have had a release in a while, and they appear to be unmaintained. node-solid-keychain has been moved upstream out of the @solid/ namespace to @solid-contrib/ which seems to be causing its autopkgtest failures. node-trust-webcrypto's upstream in particular includes an archiving notice: https://github.com/anvilresearch/webcrypto/commit/210653f1bee449fec86214dc2fa4258fff775b4c "# NOTICE # We’re archiving Anvil Connect and all related packages. This code is entirely MIT Licensed. You’re free to do with it what you want. That said, we are recommending _**against**_ using it, due to the potential for security issues arising from unmaintained software. For more information, see the announcement at [anvil.io](https://anvil.io)." This seems a convincing point to me for removal of these two packages from the archive. As an unmaintained and out of date crypto package, users relying on it could be exposed to security issues that don't look likely to ever be addressed. Please remove from the lunar archive: - node-solid-keychain/0.1.3-3.1 (source) - node-solid-keychain/0.1.3-3.1 (binary) - node-trust-webcrypto/0.9.2-1 (source) - node-trust-webcrypto/0.9.2-1 (binary) node-trust-webcrypto and node-solid-keychain block the nodejs transition. (C.f. https://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html#nodejs) node-trust-webcrypto is a dependency of node-solid-keychain, but nothing else appears to depend on them in lunar:   $ apt-cache rdepends node-trust-webcrypto   node-trust-webcrypto   Reverse Depends:     node-solid-keychain   $ apt-cache rdepends node-solid-keychain   node-solid-keychain   Reverse Depends: Both of these are also failing Debian CI, with the same errors in test logs. Neither of these have had a release in a while, and they appear to be unmaintained. node-solid-keychain has been moved upstream out of the @solid/ namespace to @solid-contrib/ which seems to be causing its autopkgtest failures. node-trust-webcrypto's upstream in particular includes an archiving notice: https://github.com/anvilresearch/webcrypto/commit/210653f1bee449fec86214dc2fa4258fff775b4c "# NOTICE # We’re archiving Anvil Connect and all related packages. This code is entirely MIT Licensed. You’re free to do with it what you want. That said, we are recommending _**against**_ using it, due to the potential for security issues arising from unmaintained software. For more information, see the announcement at [anvil.io](https://anvil.io)." This seems a convincing point to me for removal of these two packages from the archive. As an unmaintained and out of date crypto package, users relying on it could be exposed to security issues that don't look likely to ever be addressed.
2023-01-25 01:55:08 Bryce Harrington bug added subscriber Ubuntu Package Archive Administrators
2023-01-25 02:35:11 Steve Langasek node-solid-keychain (Ubuntu): status New Fix Released
2023-01-25 02:36:58 Steve Langasek node-trust-webcrypto (Ubuntu): status New Fix Released