Package: firefox Version: 57.0.0 Severity: serious Tags: upstream Justification: Policy 4.13 Forwarded: https://bugzilla.mozilla.org/show_bug.cgi?id=1420286 X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org Control: tags -1 + security
Hi, By default firefox does not allow symlink in system extension. It is really bad from the point of view of the javascript team, from a point of view of maintenability and security... Chrome allow symlink BTW. Maintainer do a copy of each javascript file instead at build time (they do not use trigger....) I found this bug during a lintian audit of embdeded javascript pacakge. This is not documented and I do know if security team is aware of this. Firefox upstream recommand to use packaged and signed extension. It is worse from the point of view of the javascript team because it will need binNMU of arch all file, that is not implemented. Therefore, could we recover the old system of working symlink ? We have now salsa to test regression and it could be safe. Bastien