[Pkg-javascript-devel] components without major risks
Xavier
yadd at debian.org
Tue Nov 27 14:28:42 GMT 2018
Le 27/11/2018 à 15:22, Xavier a écrit :
> Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
>> Quoting Xavier (2018-11-27 14:00:42)
>>> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
>>>> Hi Xavier and Paolo,
>>>>
>>>> Please allow me to highlight this security-related detail:
>>>>
>>>> Quoting Xavier (2018-11-26 16:29:32)
>>>>> Embedding components without following them may be a lack of security.
>>>>> I think we should have a policy for embedding:
>>>>> - components without major risks => not used in version
>>>>> - components that must be followed => declared as "group" in
>>>>> debian/watch
>>>>> - components that must be followed and used in many other packages
>>>>> => packaged separately
>>>>
>>>> Quoting Paolo Greppi (2018-11-27 10:52:37)
>>>>> With yesterday's news about the event-stream node module being pwned:
>>>>> https://github.com/dominictarr/event-stream/issues/116
>>>>> the importance of these matters should be clear to anyone.
>>>>> Probably there is no component "without major risks", and even if it
>>>>> existed, it would be unfair to lay upon the busy maintainer the task
>>>>> of deciding if it is risky or not.
>>>>
>>>> Thanks to _both_ of you (and others in the thread) for all your work
>>>> tackling these issues.
>>>>
>>>> My point here is *not* to point fingers, but to emphasize an important
>>>> aspect of our task as (re)distributors of code: Ensure code integrity
>>>> towards our users.
>>>>
>>>>
>>>> - Jonas
>>>
>>> Thanks, so I propose this policy update - please review this:
>>> - components used only during build => not used in version
>>> (except if they inject some code)
>>> - if upstream version isn't locked on dependencies (see Jérémy remark)
>>> [or if upstream isn't serious?]:
>>> * very little component => not used in version
>>> * components that must be followed and maybe used in many other
>>> packages => packaged separately
>>> * other components => declared as "group" in debian/watch
>>
>> Sorry, I don't understand: Why not track code used during build?
>>
>> Seems you propose to systematically ignore potential upstream bugfixes.
>>
>>
>> - Jonas
>
> I was thinking to modules used to generate documentation, to test,... So
> even if there is a security issue in them, risk doesn't exist in
> published binary
This can avoid having a too long version string. We talked about version
summarization earlier, but it had many cons
More information about the Pkg-javascript-devel
mailing list