[Bug 2080872] Re: replace unmaintained http-parser dependency with llhttp
Lukas Märdian
2080872 at bugs.launchpad.net
Thu Nov 7 15:27:58 UTC 2024
Looking into this case, there seems to be no proper (isolated) libllhttp
package.
The existing libllhttp9.1 package is shipped as part of the src:node-
undici package, but has otherwise not runtime dependency on NodeJS (only
libc6). Looking into the node-undici sources, it seems to be a vendored
dependency inside node-undici, only.
So I think we have a few options here:
A/ use the vendored llhttp from libgit2:deps/llhttp/ (not exposed to the archvie)
B/ use the vendored llhttp from node-undici/llhttp/ (exposed as libllhttp9.1 to the archive)
=> this needs MIR for the libllhttp9.1 binary package, but we should probably ignore the rest.
C/ Find somebody to prepare a proper, isolated src:llhttp package, just shipping upstream libllhttp from https://github.com/nodejs/llhttp/
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libgit2 in Ubuntu.
https://bugs.launchpad.net/bugs/2080872
Title:
replace unmaintained http-parser dependency with llhttp
Status in libgit2 package in Ubuntu:
New
Status in node-undici package in Ubuntu:
New
Bug description:
http-parser has been deprecated [0] for llhttp [1] in libgit2.
http-parser is unmaintained. There is nobody writing security patches
for http-parser. It should be removed as a libgit2 dependency and then
removed from the main archive.
Note http-parser's MIR clause [2]:
Security team propose a conditional ACK for promoting http-parser to main
upon Foundations team's acknowledgment of their commitment in assisting with
the development of security fixes, in the absence of upstream support, as
well as their responsibility to ask for demoting the pacakge in the future
once a suitable alternative is identified and deemed feasible.
[0] https://github.com/libgit2/libgit2/issues/6074
[1] https://github.com/libgit2/libgit2/pull/6713
[2] https://bugs.launchpad.net/ubuntu/+source/http-parser/+bug/1990655/comments/14
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgit2/+bug/2080872/+subscriptions
More information about the foundations-bugs
mailing list