[Bug 2080872] [NEW] replace unmaintained http-parser dependency with llhttp
Mark Esler
2080872 at bugs.launchpad.net
Mon Sep 16 16:55:40 UTC 2024
Public bug reported:
http-parser has been deprecated [0] for llhttp [1] in libgit2.
http-parser is unmaintained. There is nobody writing security patches
for http-parser. It should be removed as a libgit2 dependency and then
removed from the main archive.
Note http-parser's MIR clause [2]:
Security team propose a conditional ACK for promoting http-parser to main
upon Foundations team's acknowledgment of their commitment in assisting with
the development of security fixes, in the absence of upstream support, as
well as their responsibility to ask for demoting the pacakge in the future
once a suitable alternative is identified and deemed feasible.
[0] https://github.com/libgit2/libgit2/issues/6074
[1] https://github.com/libgit2/libgit2/pull/6713
[2] https://bugs.launchpad.net/ubuntu/+source/http-parser/+bug/1990655/comments/14
** Affects: libgit2 (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
http-parser has been deprecated [0] for llhttp [1] in libgit2.
http-parser is unmaintained. There is nobody writing security patches
for http-parser. It should be removed as a libgit2 dependency and then
removed from the main archive.
- Note htt-parser's MIR clause [2]:
+ Note http-parser's MIR clause [2]:
- Security team propose a conditional ACK for promoting http-parser to main
- upon Foundations team's acknowledgment of their commitment in assisting with
- the development of security fixes, in the absence of upstream support, as
- well as their responsibility to ask for demoting the pacakge in the future
- once a suitable alternative is identified and deemed feasible.
+ Security team propose a conditional ACK for promoting http-parser to main
+ upon Foundations team's acknowledgment of their commitment in assisting with
+ the development of security fixes, in the absence of upstream support, as
+ well as their responsibility to ask for demoting the pacakge in the future
+ once a suitable alternative is identified and deemed feasible.
[0] https://github.com/libgit2/libgit2/issues/6074
[1] https://github.com/libgit2/libgit2/pull/6713
[2] https://bugs.launchpad.net/ubuntu/+source/http-parser/+bug/1990655/comments/14
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libgit2 in Ubuntu.
https://bugs.launchpad.net/bugs/2080872
Title:
replace unmaintained http-parser dependency with llhttp
Status in libgit2 package in Ubuntu:
New
Bug description:
http-parser has been deprecated [0] for llhttp [1] in libgit2.
http-parser is unmaintained. There is nobody writing security patches
for http-parser. It should be removed as a libgit2 dependency and then
removed from the main archive.
Note http-parser's MIR clause [2]:
Security team propose a conditional ACK for promoting http-parser to main
upon Foundations team's acknowledgment of their commitment in assisting with
the development of security fixes, in the absence of upstream support, as
well as their responsibility to ask for demoting the pacakge in the future
once a suitable alternative is identified and deemed feasible.
[0] https://github.com/libgit2/libgit2/issues/6074
[1] https://github.com/libgit2/libgit2/pull/6713
[2] https://bugs.launchpad.net/ubuntu/+source/http-parser/+bug/1990655/comments/14
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgit2/+bug/2080872/+subscriptions
More information about the foundations-bugs
mailing list