[Pkg-javascript-devel] components without major risks

Jérémy Lal kapouer at melix.org
Tue Nov 27 14:24:21 GMT 2018 

Le mar. 27 nov. 2018 à 15:22, Xavier <yadd at debian.org> a écrit :

> Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
> > Quoting Xavier (2018-11-27 14:00:42)
> >> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> >>> Hi Xavier and Paolo,
> >>>
> >>> Please allow me to highlight this security-related detail:
> >>>
> >>> Quoting Xavier (2018-11-26 16:29:32)
> >>>> Embedding components without following them may be a lack of
> security.
> >>>> I think we should have a policy for embedding:
> >>>>  - components without major risks   => not used in version
> >>>>  - components that must be followed => declared as "group" in
> >>>>    debian/watch
> >>>>  - components that must be followed and used in many other packages
> >>>>    => packaged separately
> >>>
> >>> Quoting Paolo Greppi (2018-11-27 10:52:37)
> >>>> With yesterday's news about the event-stream node module being pwned:
> >>>> https://github.com/dominictarr/event-stream/issues/116
> >>>> the importance of these matters should be clear to anyone.
> >>>> Probably there is no component "without major risks", and even if it
> >>>> existed, it would be unfair to lay upon the busy maintainer the task
> >>>> of deciding if it is risky or not.
> >>>
> >>> Thanks to _both_ of you (and others in the thread) for all your work
> >>> tackling these issues.
> >>>
> >>> My point here is *not* to point fingers, but to emphasize an important
> >>> aspect of our task as (re)distributors of code: Ensure code integrity
> >>> towards our users.
> >>>
> >>>
> >>>  - Jonas
> >>
> >> Thanks, so I propose this policy update - please review this:
> >>  - components used only during build => not used in version
> >>    (except if they inject some code)
> >>  - if upstream version isn't locked on dependencies (see Jérémy remark)
> >>    [or if upstream isn't serious?]:
> >>    * very little component => not used in version
> >>    * components that must be followed and maybe used in many other
> >>      packages              => packaged separately
> >>    * other components      => declared as "group" in debian/watch
> >
> > Sorry, I don't understand: Why not track code used during build?
> >
> > Seems you propose to systematically ignore potential upstream bugfixes.
> >
> >
> >  - Jonas
>
> I was thinking to modules used to generate documentation, to test,... So
> even if there is a security issue in them, risk doesn't exist in
> published binary
>

If there's something able to inject code in documentation (especially in
html) it's a big issue...

Jérémy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20181127/49f07014/attachment.html>

More information about the Pkg-javascript-devel mailing list