On Fri, May 11, 2018 at 5:27 PM, Chris Lamb <la...@debian.org> wrote: > retitle 898431 please update version of file(1) on lindsay.debian.org to > detect .wasm files > thanks > > Bastien, > >> source-contains-prebuilt-wasm-binary source tag is not emitted due to >> too old file. > > To clarify anyone else who had difficult parsing this, "file" here > refers to file(1)/src:file, not the to the prebuilt .wasm file itself. > > Niels, is this one for us or DSA? > >> wasm is a crap over a crap of nodejs communauty. > > Please try and keep these inflammatory and ultimately non-technical > comments to a minimum. They can do nothing but demotivate the already- > overworked Javascript team from trying to fix these issues at their > core.
I am part of js team. It hurt us twice the last month. sorry for the inflamatory language > >> Why js file even minified an human could with some hard work undestand >> security implication. > > I think what you are trying to say here is that precompiled files are > more difficult to evaulate and patch for security vulnerabilies. Is > that correct? Yes it is. wasm is compiled not precompiled. So you need to use binary patch. No patch. It is like patching .o object. and this o object will be injected in your browser in a sandbox (hopefully) So better to detect this earlier. I could not found how to detect source-is-missing because source file could be any language (like c) source file. Bastien > > > Regards, > > -- > ,''`. > : :' : Chris Lamb > `. `'` la...@debian.org / chris-lamb.co.uk > `-
