[Pkg-javascript-devel] components without major risks

Jonas Smedegaard jonas at jones.dk
Tue Nov 27 14:03:09 GMT 2018 

Quoting Xavier (2018-11-27 14:00:42)
> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> > Hi Xavier and Paolo,
> > 
> > Please allow me to highlight this security-related detail:
> > 
> > Quoting Xavier (2018-11-26 16:29:32)
> >> Embedding components without following them may be a lack of security. 
> >> I think we should have a policy for embedding:
> >>  - components without major risks   => not used in version
> >>  - components that must be followed => declared as "group" in
> >>    debian/watch
> >>  - components that must be followed and used in many other packages
> >>    => packaged separately
> > 
> > Quoting Paolo Greppi (2018-11-27 10:52:37)
> >> With yesterday's news about the event-stream node module being pwned: 
> >> https://github.com/dominictarr/event-stream/issues/116
> >> the importance of these matters should be clear to anyone.
> >> Probably there is no component "without major risks", and even if it 
> >> existed, it would be unfair to lay upon the busy maintainer the task 
> >> of deciding if it is risky or not.
> > 
> > Thanks to _both_ of you (and others in the thread) for all your work 
> > tackling these issues.
> > 
> > My point here is *not* to point fingers, but to emphasize an important 
> > aspect of our task as (re)distributors of code: Ensure code integrity 
> > towards our users.
> > 
> > 
> >  - Jonas
> 
> Thanks, so I propose this policy update - please review this:
>  - components used only during build => not used in version
>    (except if they inject some code)
>  - if upstream version isn't locked on dependencies (see Jérémy remark)
>    [or if upstream isn't serious?]:
>    * very little component => not used in version
>    * components that must be followed and maybe used in many other
>      packages              => packaged separately
>    * other components      => declared as "group" in debian/watch

Sorry, I don't understand: Why not track code used during build?

Seems you propose to systematically ignore potential upstream bugfixes.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20181127/06f02098/attachment.sig>

More information about the Pkg-javascript-devel mailing list