-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 9/3/13 2:04 PM, Daniel Kahn Gillmor wrote: > i'm sorry to hear you feel this way. I'm not asking due to > paranoia -- as i mentioned in the original bug report, there are at > least three cases that could cause people to want to do this: > concerns about google, concerns about cleartext code injection by > someone who controls the network (e.g. in a public wifi zone), and > concerns about machines that have no internet connection at all. > You may think that the first two categories are "paranoia" (though > others with different network habits or adversary models than you > may disagree), but the last category is a basic operation > requirement for some users. Why not make it friendly for them?
Because it's not a requirement to see `powertop.html`. If the file is not found then it's not giving errors which put `jquery` in the `suggests` field. Less people is installing suggestions than have internet while loading and HTML. > >> Not only that, I don't like how people believes JavaScript >> libraries are maintained as other languages libraries. Right now >> in unstable is 1.7.2 which isthe compatible with current >> powertop, but as soon as gets updated with 1.10.x it will break. >> That will create more bugs, and I wont create bugs for paranoia >> which will lead to nothing. > > If API version compatibility is a problem, and libjquery-js is > breaking compatibility in ways that it needs to avoid, please > submit a bug report asking for library-style packaging of core > javascript libraries (e.g. libjs-jquery-1.7, if 1.7 is where the > stable API is maintained). If a given version of jquery API is > required for viewing the output, we should be explicit about that. Won't do that. In the package-management paradigm of Operating Systems there's no sane way to keep up with how JavaScript libraries work. Sorry but that's a no-no. More people is needed in other fields of Debian than maintaining highly changing JavaScript libraries. I do development on JavaScript primarily at work, and I can't use packaged js-libs because of this, so I refuse to suggest people to waste their time. To handle JavaScript libraries there's already two sane-ways: use either NPM or Bower. Most of this is transparent to the user unless is using a local file (which is the case in this report) and when using a local-file the suggested way is using a public CDN (which is what is being done). > >> You can't access to local fs via JavaScript on the browser, and >> the exploit can be done in the same domain. You will read it from >> file:/// so nothing will happen. > > I may be misunderstanding what you're saying here, but it sounds to > me like you're suggesting that there is no way for an attacker who > can inject arbitrary javascript into a page loaded via a file:/// > URL can do any harm. Even if this is true in the abstract (i'm not > convinced it is, given that there are a number of possible attacks > other than reading from the local filesystem), and if all browsers > implemented their javascript stacks with the appropriate > sandboxing, this wouldn't resolve the problem for machines without > full internet access. That's how it works, the primarily exploits from JavaScript are reading cookies which are not accessible if you are using file://. This is served from a public repository widely used, and the use of jQuery is limited to show and hide elements; not only that, there's no input of data in it. So, what's the security risk? About people without internet, already said my argument in the first paragraph. > > Anyway, it is of course your call on what to do; but i think it's > a shame that (a) all of the code involved is free software, already > in debian, yet (b) we're relying on cleartext third-party > transmissions for this functionality. And is serving free-software, there's no ties on licensing nor liberty using a CDN; just isn't bloating the software which is something some people tend to. My priorities is making a software that will work if you have internet but don't have libjquery installed from dpkg which is a bigger use-case than people who does not have internet AND has libjquery installed from dpkg. I can see the argument of "but that's the Debian-way", but for this case is not the right way to do it. Thanks for your feedback Daniel, Kind Regards. - -- Jose Luis Rivas http://joseluisrivas.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSJ+GlAAoJEBPsQ+65rIxD4qgQAIYdWQQH1VOo2PGBodPVpQFf 9Gt5UEqu6BJQLB7N49+MgGPwJu1o0hQRnohKqhkQGIlQTIKnfMneRtUOTqa6Zlj1 kuxgNZbe7BfbLpZu7e6qFTRefNg4xqxEVNRXBLOpXXdkWNtcKeDQRZR+UWu1p39T 1uhWbCVKFb2dZHyaGjo4TopmhdcxgasbQHi7qkfPxqky9ccTgLokbACI2kvuK6dy Xq5waKUqGorKjiUe1XD8xnNGBBtbpsc1TwEyPJxcwpLaIbNs4GAf96C5f2icoy5i yecAzQ/Sivt8PlZrzFeU243vfPvOxzoJETsApcygEbl7MS1OYrE9yKCwUxJCJaFl zM6rS4smpX1c1aJViqO/Ia3zzdCtGa0qEH7ruNP2O6VO94JBVYl63f5MnEB0NHty NrH96yzup76yoxGdOVX1FMm/wwmL52aUGoxVgdhJ+C58jBqqQOlMMqV4WYl4pm02 fBFs3oy+DurojLl4cgEjtbODyTilssEKNusJ+qFP3IYoYBXopoN+YDJPeD5LLEFg toFJmtGjR3/1/w5nEGUAwTqgPVBVbGGau1b7wi4sAIoroy+Te8KVU3IqdcmvOxed j9eZgAF3BXuA9yaWocv6ED/1PnaS40dHcKbrbHmVFALzv2U32cHbu3XF93+8dr0G GDBfJY7KhwHmiOPvjjl5 =a3An -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org