#3115 Permanent Updates Policy exception for llhttp
Closed: Accepted 4 months ago by zbyszek. Opened 5 months ago by music.

This ticket asks FESCo to consider whether the llhttp package should be granted a permanent exception under the Updates Policy.

The llhttp package is a C library (transpiled from TypeScript) that provides the low-level HTTP support for NodeJS (which currently bundles it, although the maintainers have discussed unbundling it), for python-aiohttp, and for uxplay.

It has twice been necessary (https://pagure.io/fesco/issue/3106, https://pagure.io/fesco/issue/3049) to request an Updates Policy Exception because a security problem in llhttp was fixed in a release that also broke ABI and/or API compatibility. In both cases, the corresponding python-aiohttp update was API-compatible, and there was no disruption to recursively-dependent packages.

Prompted by a suggestion by @gotmax23, and considering llhttp’s status as a low-level dependency with high security relevance (as its purpose is to parse potentially-untrusted HTTP), this ticket asks FESCo whether llhttp should be granted a categorical exception for such updates.

Good practice would still imply that such updates should avoid unnecessary incompatibilities, and should avoid breaking dependent packages (e.g. by updating or rebuilding them in the same side tag and Bodhi update).

It’s not possible to predict how many—if any—such updates might be required in the future. If this exception is not granted, then any similar updates that might be required in the future would be handled via case-by-case exception requests; this means more things that FESCo might need to consider and vote on, but would be perfectly feasible. I’m not personally strongly invested in a particular outcome to this ticket.

Metadata Update from @ngompa:
- Issue tagged with: updates policy exception

5 months ago

It looks like this will be approved, so here’s a PR to update documentation once voting has ended.


After a week: APPROVED (+6, 0, 0)

I'll add the announcement to today's agenda.

Metadata Update from @zbyszek:
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

4 months ago

Login to comment on this ticket.