[Pkg-javascript-devel] components without major risks

Xavier yadd at debian.org
Tue Nov 27 14:53:24 GMT 2018 

Le 27/11/2018 à 15:24, Jérémy Lal a écrit :
> 
> 
> Le mar. 27 nov. 2018 à 15:22, Xavier <yadd at debian.org
> <mailto:yadd at debian.org>> a écrit :
> 
>     Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
>     > Quoting Xavier (2018-11-27 14:00:42)
>     >> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
>     >>> Hi Xavier and Paolo,
>     >>>
>     >>> Please allow me to highlight this security-related detail:
>     >>>
>     >>> Quoting Xavier (2018-11-26 16:29:32)
>     >>>> Embedding components without following them may be a lack of
>     security.
>     >>>> I think we should have a policy for embedding:
>     >>>>  - components without major risks   => not used in version
>     >>>>  - components that must be followed => declared as "group" in
>     >>>>    debian/watch
>     >>>>  - components that must be followed and used in many other packages
>     >>>>    => packaged separately
>     >>>
>     >>> Quoting Paolo Greppi (2018-11-27 10:52:37)
>     >>>> With yesterday's news about the event-stream node module being
>     pwned:
>     >>>> https://github.com/dominictarr/event-stream/issues/116
>     >>>> the importance of these matters should be clear to anyone.
>     >>>> Probably there is no component "without major risks", and even
>     if it
>     >>>> existed, it would be unfair to lay upon the busy maintainer the
>     task
>     >>>> of deciding if it is risky or not.
>     >>>
>     >>> Thanks to _both_ of you (and others in the thread) for all your
>     work
>     >>> tackling these issues.
>     >>>
>     >>> My point here is *not* to point fingers, but to emphasize an
>     important
>     >>> aspect of our task as (re)distributors of code: Ensure code
>     integrity
>     >>> towards our users.
>     >>>
>     >>>
>     >>>  - Jonas
>     >>
>     >> Thanks, so I propose this policy update - please review this:
>     >>  - components used only during build => not used in version
>     >>    (except if they inject some code)
>     >>  - if upstream version isn't locked on dependencies (see Jérémy
>     remark)
>     >>    [or if upstream isn't serious?]:
>     >>    * very little component => not used in version
>     >>    * components that must be followed and maybe used in many other
>     >>      packages              => packaged separately
>     >>    * other components      => declared as "group" in debian/watch
>     >
>     > Sorry, I don't understand: Why not track code used during build?
>     >
>     > Seems you propose to systematically ignore potential upstream
>     bugfixes.
>     >
>     >
>     >  - Jonas
> 
>     I was thinking to modules used to generate documentation, to test,... So
>     even if there is a security issue in them, risk doesn't exist in
>     published binary
> 
> 
> If there's something able to inject code in documentation (especially in
> html) it's a big issue...

Not directly but it can affect building machine in the worst case (a
corrupted upstream doc which uses a buffer overflow?)

I think that a Debian policy update should be proposed to fix possible
misuse of components

More information about the Pkg-javascript-devel mailing list