[Pkg-javascript-devel] components without major risks
Bastien ROUCARIES
roucaries.bastien at gmail.com
Tue Nov 27 14:41:18 GMT 2018
On Tue, Nov 27, 2018 at 3:33 PM Jonas Smedegaard <jonas at jones.dk> wrote:
>
> Quoting Xavier (2018-11-27 15:22:10)
> > Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
> > > Quoting Xavier (2018-11-27 14:00:42)
> > >> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> > >>> Hi Xavier and Paolo,
> > >>>
> > >>> Please allow me to highlight this security-related detail:
> > >>>
> > >>> Quoting Xavier (2018-11-26 16:29:32)
> > >>>> Embedding components without following them may be a lack of security.
> > >>>> I think we should have a policy for embedding:
> > >>>> - components without major risks => not used in version
> > >>>> - components that must be followed => declared as "group" in
> > >>>> debian/watch
> > >>>> - components that must be followed and used in many other packages
> > >>>> => packaged separately
> > >>>
> > >>> Quoting Paolo Greppi (2018-11-27 10:52:37)
> > >>>> With yesterday's news about the event-stream node module being pwned:
> > >>>> https://github.com/dominictarr/event-stream/issues/116
> > >>>> the importance of these matters should be clear to anyone.
> > >>>> Probably there is no component "without major risks", and even if it
> > >>>> existed, it would be unfair to lay upon the busy maintainer the task
> > >>>> of deciding if it is risky or not.
> > >>>
> > >>> Thanks to _both_ of you (and others in the thread) for all your work
> > >>> tackling these issues.
> > >>>
> > >>> My point here is *not* to point fingers, but to emphasize an important
> > >>> aspect of our task as (re)distributors of code: Ensure code integrity
> > >>> towards our users.
> > >>>
> > >>>
> > >>> - Jonas
> > >>
> > >> Thanks, so I propose this policy update - please review this:
> > >> - components used only during build => not used in version
> > >> (except if they inject some code)
> > >> - if upstream version isn't locked on dependencies (see Jérémy remark)
> > >> [or if upstream isn't serious?]:
> > >> * very little component => not used in version
> > >> * components that must be followed and maybe used in many other
> > >> packages => packaged separately
> > >> * other components => declared as "group" in debian/watch
> > >
> > > Sorry, I don't understand: Why not track code used during build?
> > >
> > > Seems you propose to systematically ignore potential upstream bugfixes.
> > >
> > >
> > > - Jonas
> >
> > I was thinking to modules used to generate documentation, to test,... So
> > even if there is a security issue in them, risk doesn't exist in
> > published binary
>
> I think it is dangerous to try judge systematically and automated with
> no qualitative input what has security implications and what does not!
I agree here... No more node_modules inside package. At least it will
be fixed once
>
> - Jonas
>
> --
> * Jonas Smedegaard - idealist & Internet-arkitekt
> * Tlf.: +45 40843136 Website: http://dr.jones.dk/
>
> [x] quote me freely [ ] ask before reusing [ ] keep private
> --
> Pkg-javascript-devel mailing list
> Pkg-javascript-devel at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
More information about the Pkg-javascript-devel
mailing list