[Pkg-javascript-devel] Bug#992150: Please allow symlink in system extension
Bastien Roucariès
roucaries.bastien at gmail.com
Fri Aug 13 15:34:04 BST 2021
Package: firefox
Version: 57.0.0
Severity: serious
Tags: upstream
Justification: Policy 4.13
Forwarded: https://bugzilla.mozilla.org/show_bug.cgi?id=1420286
X-Debbugs-Cc: pkg-javascript-devel at lists.alioth.debian.org
Control: tags -1 + security
Hi,
By default firefox does not allow symlink in system extension.
It is really bad from the point of view of the javascript team, from a point of
view of maintenability and security...
Chrome allow symlink BTW.
Maintainer do a copy of each javascript file instead at build time (they do not
use trigger....)
I found this bug during a lintian audit of embdeded javascript pacakge. This is
not documented and I do know if security team is aware of this.
Firefox upstream recommand to use packaged and signed extension. It is worse
from the point of view of the javascript team because it will need binNMU of
arch all file, that is not implemented.
Therefore, could we recover the old system of working symlink ? We have now
salsa to test regression and it could be safe.
Bastien
More information about the Pkg-javascript-devel
mailing list