[Pkg-javascript-devel] components without major risks
Xavier
xg at xnr.fr
Tue Nov 27 12:59:52 GMT 2018
Le 27/11/2018 à 13:47, Xavier a écrit :
> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
>> Hi Xavier and Paolo,
>>
>> Please allow me to highlight this security-related detail:
>>
>> Quoting Xavier (2018-11-26 16:29:32)
>>> Embedding components without following them may be a lack of security.
>>> I think we should have a policy for embedding:
>>> - components without major risks => not used in version
>>> - components that must be followed => declared as "group" in
>>> debian/watch
>>> - components that must be followed and used in many other packages
>>> => packaged separately
>>
>> Quoting Paolo Greppi (2018-11-27 10:52:37)
>>> With yesterday's news about the event-stream node module being pwned:
>>> https://github.com/dominictarr/event-stream/issues/116
>>> the importance of these matters should be clear to anyone.
>>> Probably there is no component "without major risks", and even if it
>>> existed, it would be unfair to lay upon the busy maintainer the task
>>> of deciding if it is risky or not.
>>
>> Thanks to _both_ of you (and others in the thread) for all your work
>> tackling these issues.
>>
>> My point here is *not* to point fingers, but to emphasize an important
>> aspect of our task as (re)distributors of code: Ensure code integrity
>> towards our users.
>>
>>
>> - Jonas
>
> Thanks, so I propose this policy update - please review this:
> - components used only during build => not used in version
> (except if they inject some code)
> - if upstream version isn't locked on dependencies (see Jérémy remark)
> [or if upstream isn't serious?]:
> * very little component => not used in version
> * components that must be followed and maybe used in many other
> packages => packaged separately
> * other components => declared as "group" in debian/watch
>
> Sharing policy (components published via debian/control "Provides:") -
> please review this:
> - components used only during build => no
> - components locked in an too oldest version => no [needs to patch code
> to replace "require('x')" by "require('main_mod/x/index.js')" and to
> install this component in /usr.../main_mod/x]. Maybe a better way?
> - components installed in main node_modules => published
>
>
> Example with node-mongodb:
> - mongodb-core => group + published
> - bson => group + not published (locked to 1.1.0 while upstream
> published a 4.0.0, NB: same author so
> less security risk)
> - require_optional => not grouped + not published (simple package that
> avoid failure on
> "require" to an
> optional module:
> try/catch)
>
> Maybe a "debian/README.source" might be required for the DD to explain
> his choices (lintian error if missing).
>
> I think also that dak should redirect an upload to NEW queue when a new
> component is added, at least in version (like every time a new binary
> package is added)
>
> Regards,
> Xavier
Another problem to keep in mind, imagine node-mongodb published
"require_optional" or "bson" in /usr/lib/nodejs or
,/usr/lib/node_modules. Then every module who wants to use
require_optional will depends on node-mongodb driver! We must evaluate
this point before publishing a component and so lock
/usr/lib/nodejs/<name> directory, to decide if there is not too many
unwanted package installed.
(NB: I will upload a new version of node-mongodb, consistent with the
policy when it will be stable)
More information about the Pkg-javascript-devel
mailing list