[Pkg-javascript-devel] components without major risks

Bastien ROUCARIES roucaries.bastien at gmail.com
Tue Nov 27 14:48:01 GMT 2018


On Tue, Nov 27, 2018 at 3:45 PM Xavier <yadd at debian.org> wrote:
>
> Le 27/11/2018 à 15:33, Jonas Smedegaard a écrit :
> > Quoting Xavier (2018-11-27 15:22:10)
> >> Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
> >>> Quoting Xavier (2018-11-27 14:00:42)
> >>>> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> >>>>> Hi Xavier and Paolo,
> >>>>>
> >>>>> Please allow me to highlight this security-related detail:
> >>>>>
> >>>>> Quoting Xavier (2018-11-26 16:29:32)
> >>>>>> Embedding components without following them may be a lack of security.
> >>>>>> I think we should have a policy for embedding:
> >>>>>>  - components without major risks   => not used in version
> >>>>>>  - components that must be followed => declared as "group" in
> >>>>>>    debian/watch
> >>>>>>  - components that must be followed and used in many other packages
> >>>>>>    => packaged separately
> >>>>>
> >>>>> Quoting Paolo Greppi (2018-11-27 10:52:37)
> >>>>>> With yesterday's news about the event-stream node module being pwned:
> >>>>>> https://github.com/dominictarr/event-stream/issues/116
> >>>>>> the importance of these matters should be clear to anyone.
> >>>>>> Probably there is no component "without major risks", and even if it
> >>>>>> existed, it would be unfair to lay upon the busy maintainer the task
> >>>>>> of deciding if it is risky or not.
> >>>>>
> >>>>> Thanks to _both_ of you (and others in the thread) for all your work
> >>>>> tackling these issues.
> >>>>>
> >>>>> My point here is *not* to point fingers, but to emphasize an important
> >>>>> aspect of our task as (re)distributors of code: Ensure code integrity
> >>>>> towards our users.
> >>>>>
> >>>>>
> >>>>>  - Jonas
> >>>>
> >>>> Thanks, so I propose this policy update - please review this:
> >>>>  - components used only during build => not used in version
> >>>>    (except if they inject some code)
> >>>>  - if upstream version isn't locked on dependencies (see Jérémy remark)
> >>>>    [or if upstream isn't serious?]:
> >>>>    * very little component => not used in version
> >>>>    * components that must be followed and maybe used in many other
> >>>>      packages              => packaged separately
> >>>>    * other components      => declared as "group" in debian/watch
> >>>
> >>> Sorry, I don't understand: Why not track code used during build?
> >>>
> >>> Seems you propose to systematically ignore potential upstream bugfixes.
> >>>
> >>>
> >>>  - Jonas
> >>
> >> I was thinking to modules used to generate documentation, to test,... So
> >> even if there is a security issue in them, risk doesn't exist in
> >> published binary
> >
> > I think it is dangerous to try judge systematically and automated with
> > no qualitative input what has security implications and what does not!
> >
> >  - Jonas
>
> You're right but this has some other cons (version string length,...).
> Today, components are allowed without any version following. So this
> point should also be inserted in Debian policy, shouldn't it ?

Components were created for packaging multiple tar of same project.
See cernlib package and cry for instance
>
> --
> Pkg-javascript-devel mailing list
> Pkg-javascript-devel at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel



More information about the Pkg-javascript-devel mailing list