[Pkg-javascript-devel] components without major risks
Jonas Smedegaard
jonas at jones.dk
Tue Nov 27 10:55:01 GMT 2018
Hi Xaiver and Paolo,
Please allow me to highlight this security-related detail:
Quoting Xavier (2018-11-26 16:29:32)
> Embedding components without following them may be a lack of security.
> I think we should have a policy for embedding:
> - components without major risks => not used in version
> - components that must be followed => declared as "group" in
> debian/watch
> - components that must be followed and used in many other packages
> => packaged separately
Quoting Paolo Greppi (2018-11-27 10:52:37)
> With yesterday's news about the event-stream node module being pwned:
> https://github.com/dominictarr/event-stream/issues/116
> the importance of these matters should be clear to anyone.
> Probably there is no component "without major risks", and even if it
> existed, it would be unfair to lay upon the busy maintainer the task
> of deciding if it is risky or not.
Thanks to _both_ of you (and others in the thread) for all your work
tackling these issues.
My point here is *not* to point fingers, but to emphasize an important
aspect of our task as (re)distributors of code: Ensure code integrity
towards our users.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20181127/bbb520b9/attachment.sig>
More information about the Pkg-javascript-devel
mailing list