[Pkg-javascript-devel] components without major risks

Tue Nov 27 17:19:47 GMT 2018

Le 27/11/2018 à 15:48, Bastien ROUCARIES a écrit :
> On Tue, Nov 27, 2018 at 3:45 PM Xavier <yadd at debian.org> wrote:
>>
>> Le 27/11/2018 à 15:33, Jonas Smedegaard a écrit :
>>> Quoting Xavier (2018-11-27 15:22:10)
>>>> Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
>>>>> Quoting Xavier (2018-11-27 14:00:42)
>>>>>> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
>>>>>>> Hi Xavier and Paolo,
>>>>>>>
>>>>>>> Please allow me to highlight this security-related detail:
>>>>>>>
>>>>>>> Quoting Xavier (2018-11-26 16:29:32)
>>>>>>>> Embedding components without following them may be a lack of security.
>>>>>>>> I think we should have a policy for embedding:
>>>>>>>>  - components without major risks   => not used in version
>>>>>>>>  - components that must be followed => declared as "group" in
>>>>>>>>    debian/watch
>>>>>>>>  - components that must be followed and used in many other packages
>>>>>>>>    => packaged separately
>>>>>>>
>>>>>>> Quoting Paolo Greppi (2018-11-27 10:52:37)
>>>>>>>> With yesterday's news about the event-stream node module being pwned:
>>>>>>>> https://github.com/dominictarr/event-stream/issues/116
>>>>>>>> the importance of these matters should be clear to anyone.
>>>>>>>> Probably there is no component "without major risks", and even if it
>>>>>>>> existed, it would be unfair to lay upon the busy maintainer the task
>>>>>>>> of deciding if it is risky or not.
>>>>>>>
>>>>>>> Thanks to _both_ of you (and others in the thread) for all your work
>>>>>>> tackling these issues.
>>>>>>>
>>>>>>> My point here is *not* to point fingers, but to emphasize an important
>>>>>>> aspect of our task as (re)distributors of code: Ensure code integrity
>>>>>>> towards our users.
>>>>>>>
>>>>>>>
>>>>>>>  - Jonas
>>>>>>
>>>>>> Thanks, so I propose this policy update - please review this:
>>>>>>  - components used only during build => not used in version
>>>>>>    (except if they inject some code)
>>>>>>  - if upstream version isn't locked on dependencies (see Jérémy remark)
>>>>>>    [or if upstream isn't serious?]:
>>>>>>    * very little component => not used in version
>>>>>>    * components that must be followed and maybe used in many other
>>>>>>      packages              => packaged separately
>>>>>>    * other components      => declared as "group" in debian/watch
>>>>>
>>>>> Sorry, I don't understand: Why not track code used during build?
>>>>>
>>>>> Seems you propose to systematically ignore potential upstream bugfixes.
>>>>>
>>>>>
>>>>>  - Jonas
>>>>
>>>> I was thinking to modules used to generate documentation, to test,... So
>>>> even if there is a security issue in them, risk doesn't exist in
>>>> published binary
>>>
>>> I think it is dangerous to try judge systematically and automated with
>>> no qualitative input what has security implications and what does not!
>>>
>>>  - Jonas
>>
>> You're right but this has some other cons (version string length,...).
>> Today, components are allowed without any version following. So this
>> point should also be inserted in Debian policy, shouldn't it ?
> 
> Components were created for packaging multiple tar of same project.
> See cernlib package and cry for instance

I updated https://wiki.debian.org/Javascript/GroupSourcesTutorial
Please review it:
 - format : english to review (this is not my mother language)
 - content: I tried to wrote the 2 policies