Hi Moritz, Thanks you for raising the point and offering help. The security issues that upstream mentions are affecting 1.6 have not been released as fixes by the project, but I *have* backported them to the 1.6 Debian package; so, as far as I am currently aware, the 1.6 Debian packaged LedgerSMB is no more insecure than the one(s) that are being released in newer minor branches. That said, I may need some guidance indeed: newer LedgerSMB versions have started using Vue as the web UI. This means that the strategy for the JavaScript dependencies used with 1.6 ("remove Dojo from the tarball and depend on Debian's") no longer works: there's a (rather extensive) build process required to generate the JavaScript assets. Similar to how Go dependencies are handled: the assets need to be rebuilt when a security fix is published for the dependencies. From my reading, the Debian ecosystem isn't well equipped to deal with the way Go (and JavaScript) handles its dependencies. Now for my guidance: I haven't been able to find clear policy as to what Debian considers correct packaging procedure. Could you please direct me to a document or person able to coach me through what I'm supposed to do to make this work? Thanks! On Thu, Oct 31, 2024 at 2:54 PM Debian Bug Tracking System < owner@bugs.debian.org> wrote:

Processing commands for control@bugs.debian.org:

...

severity 1027472 grave Bug #1027472 [src:ledgersmb] ledgersmb: upstram says 1.6 is unsupported and insecure. Newer upstream version 1.10 available Severity set to 'grave' from 'normal' thanks Stopping processing here.

Please contact me if you need assistance. -- 1027472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027472 Debian Bug Tracking System Contact owner@bugs.debian.org with problems _______________________________________________ devel mailing list -- devel@lists.ledgersmb.org To unsubscribe send an email to devel-leave@lists.ledgersmb.org

-- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.