[Pkg-javascript-devel] components without major risks
Xavier
yadd at debian.org
Tue Nov 27 14:45:53 GMT 2018
Le 27/11/2018 à 15:33, Jonas Smedegaard a écrit :
> Quoting Xavier (2018-11-27 15:22:10)
>> Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
>>> Quoting Xavier (2018-11-27 14:00:42)
>>>> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
>>>>> Hi Xavier and Paolo,
>>>>>
>>>>> Please allow me to highlight this security-related detail:
>>>>>
>>>>> Quoting Xavier (2018-11-26 16:29:32)
>>>>>> Embedding components without following them may be a lack of security.
>>>>>> I think we should have a policy for embedding:
>>>>>> - components without major risks => not used in version
>>>>>> - components that must be followed => declared as "group" in
>>>>>> debian/watch
>>>>>> - components that must be followed and used in many other packages
>>>>>> => packaged separately
>>>>>
>>>>> Quoting Paolo Greppi (2018-11-27 10:52:37)
>>>>>> With yesterday's news about the event-stream node module being pwned:
>>>>>> https://github.com/dominictarr/event-stream/issues/116
>>>>>> the importance of these matters should be clear to anyone.
>>>>>> Probably there is no component "without major risks", and even if it
>>>>>> existed, it would be unfair to lay upon the busy maintainer the task
>>>>>> of deciding if it is risky or not.
>>>>>
>>>>> Thanks to _both_ of you (and others in the thread) for all your work
>>>>> tackling these issues.
>>>>>
>>>>> My point here is *not* to point fingers, but to emphasize an important
>>>>> aspect of our task as (re)distributors of code: Ensure code integrity
>>>>> towards our users.
>>>>>
>>>>>
>>>>> - Jonas
>>>>
>>>> Thanks, so I propose this policy update - please review this:
>>>> - components used only during build => not used in version
>>>> (except if they inject some code)
>>>> - if upstream version isn't locked on dependencies (see Jérémy remark)
>>>> [or if upstream isn't serious?]:
>>>> * very little component => not used in version
>>>> * components that must be followed and maybe used in many other
>>>> packages => packaged separately
>>>> * other components => declared as "group" in debian/watch
>>>
>>> Sorry, I don't understand: Why not track code used during build?
>>>
>>> Seems you propose to systematically ignore potential upstream bugfixes.
>>>
>>>
>>> - Jonas
>>
>> I was thinking to modules used to generate documentation, to test,... So
>> even if there is a security issue in them, risk doesn't exist in
>> published binary
>
> I think it is dangerous to try judge systematically and automated with
> no qualitative input what has security implications and what does not!
>
> - Jonas
You're right but this has some other cons (version string length,...).
Today, components are allowed without any version following. So this
point should also be inserted in Debian policy, shouldn't it ?
More information about the Pkg-javascript-devel
mailing list