[Pkg-javascript-devel] components without major risks

Tue Nov 27 13:00:42 GMT 2018

Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> Hi Xavier and Paolo,
> 
> Please allow me to highlight this security-related detail:
> 
> Quoting Xavier (2018-11-26 16:29:32)
>> Embedding components without following them may be a lack of security. 
>> I think we should have a policy for embedding:
>>  - components without major risks   => not used in version
>>  - components that must be followed => declared as "group" in
>>    debian/watch
>>  - components that must be followed and used in many other packages
>>    => packaged separately
> 
> Quoting Paolo Greppi (2018-11-27 10:52:37)
>> With yesterday's news about the event-stream node module being pwned: 
>> https://github.com/dominictarr/event-stream/issues/116
>> the importance of these matters should be clear to anyone.
>> Probably there is no component "without major risks", and even if it 
>> existed, it would be unfair to lay upon the busy maintainer the task 
>> of deciding if it is risky or not.
> 
> Thanks to _both_ of you (and others in the thread) for all your work 
> tackling these issues.
> 
> My point here is *not* to point fingers, but to emphasize an important 
> aspect of our task as (re)distributors of code: Ensure code integrity 
> towards our users.
> 
> 
>  - Jonas

Thanks, so I propose this policy update - please review this:
 - components used only during build => not used in version
   (except if they inject some code)
 - if upstream version isn't locked on dependencies (see Jérémy remark)
   [or if upstream isn't serious?]:
   * very little component => not used in version
   * components that must be followed and maybe used in many other
     packages              => packaged separately
   * other components      => declared as "group" in debian/watch

Sharing policy (components published via debian/control "Provides:") -
please review this:
 - components used only during build => no
 - components locked in an too oldest version => no [needs to patch code
   to replace "require('x')" by "require('main_mod/x/index.js')" and to
   install this component in /usr.../main_mod/x]. Maybe a better way?
 - components installed in main node_modules => published

Example with node-mongodb:
 - mongodb-core => group + published
 - bson => group + not published (locked to 1.1.0 while upstream
                                  published a 4.0.0, NB: same author so
                                  less security risk)
 - require_optional => not grouped + not published (simple package that
                                                    avoid failure on
                                                    "require" to an
                                                    optional module:
                                                    try/catch)

Maybe a "debian/README.source" might be required for the DD to explain
his choices (lintian error if missing).

I think also that dak should redirect an upload to NEW queue when a new
component is added, at least in version (like every time a new binary
package is added)

Regards,
Xavier