[AWS] Debian reports security vulnerabilities in prototype.js bundled with AWS

[Emmanuel Briot]

> Since these are security vulnerabilities affecting stable, these bugs
> get the highest priority and I will upload a security fix to stable.  If
> a fix is not possible, AWS will be removed from Debian stable
> altogether: it is better to have nothing at all than insecure software.
> OTOH, if the prototype.js is only used in examples and not in the actual
> library, the problem is not really serious (I think this is the case but
> I'd like confirmation).

Yes, prototype.js is only used for examples. The web_components was an attempt
at providing a javascript framework, but it never really went very far (except
for the AJAX support, I believe). It should be possible to upgrade to the newer
version of prototype.js

> PS. As a long-term enhancement request, I ask that you NOT bundle ANY
> software with AWS or any other software, i.e. remove any bundled
> software from Subversion and, instead, add instructions to the README or
> INSTALL files explaining the dependencies.  Today's security
> vulnerabilities are just the last in a long list of problems caused by
> software bundled in AdaCore's source trees.  Previous problems included
> copyright infringements (see the discussions we had on
> polyorb-users at l.adacore.com a couple months ago) and at least one severe
> bug in GPS (see http://bugs.debian.org/297980 - two months elapsed time
> and 3 volunteers spending dozens of hours investigating).

Unfortunately, your requirements are not compatible with what most users except.
You are in a special position as a package maintainer, but most people (and
especially on non-linux platforms) except easy installation. So I think the
contents of the packages will likely not change

regards,

Emmanuel