[Pkg-javascript-devel] Draft to embed more than one Node module in a Debian package
Xavier
yadd at debian.org
Tue Sep 18 20:21:35 BST 2018
Le 18/09/2018 à 21:08, Moritz Mühlenhoff a écrit :
> On Thu, Sep 13, 2018 at 11:59:20AM +0200, Xavier wrote:
>> Ref:
>>
>> Hi all,
>>
>> Ftpmasters want to reduce node packages in NEW queue [1]. Extract:
>>
>> ...
>>
>> After a long discussion in JS team, I built a Wiki draft [2] and I would
>> like to have an opinion of Security Team before continuing in this way.
>
> I see the general direction, but I think this won't fully solve the actual
> problems we're seeing with applications using nodejs modules.
>
> We need to look at this from the view of the web applications to be packaged,
> not from the view of individual packages.
>
> Dealing with the bundles on the packages level is only part of the problem,
> though. This can only be made manageable with additional policy/archive
> changes, basically what I outlined at
> https://lists.debian.org/debian-devel/2018/02/msg00354.html before.
>
> So I'd encourage you to extend/generalise this (the same problem is also
> applicable to Ruby packages to some extent) so that it's ready for the
> buster release.
>
> Cheers,
> Moritz
Hello Moritz,
thanks for this feedback. The JS policy could filter/accept packages if
they match one rule:
- web app and its main dependencies (other embedded)
- "driver": LDAP/SQL connectors,... especially if they are linked to a
C library
- main JS frameworks (bootstrap, vue.js, jQuery,...)
JS-Team / Ftpmasters: any advice on this ?
More information about the Pkg-javascript-devel
mailing list