On 3/6/18 3:36 PM, Nicholas Alexander wrote: > Hi Peter, others, > > On Tue, Mar 6, 2018 at 1:13 PM, Peter Saint-Andre <stpe...@mozilla.com > <mailto:stpe...@mozilla.com>> wrote: > > On 2/28/18 5:23 PM, Nicholas Alexander wrote: > > Hello dev-platform, > > > > For the reasons outlined at > > > https://docs.google.com/document/d/1tOA2aeyjT93OoMv5tUMhAPOkf4rF_IJIHCAoJlwmDHI/edit?usp=sharing > > <https://docs.google.com/document/d/1tOA2aeyjT93OoMv5tUMhAPOkf4rF_IJIHCAoJlwmDHI/edit?usp=sharing>, > > It would be good to document the security implications of this approach. > By using Node we will probably inherit a large number of third-party > dependencies. Although we could use a service such as the Node Security > Platform [1] to determine the security status of these dependencies, > regular monitoring and upgrading will be needed to ensure that we do not > introduce vulnerabilities into our build process. > > > This is an excellent point, and I will add a section into the "Intent to > require Node to build Firefox 61" document discussing it.
Great. > There is a separate but related sibling proposal that has not yet left a > small working group that aims to make vendoring into mozilla-central > more uniform and more automated. That proposal directly addresses the > security story around vendored third-party dependencies and their > transitive dependencies -- in fact, it's a motivating force behind that > proposal. We (folks behind the Node proposal) are actively working with > the folks behind this sibling proposal to ensure that we have a workable > solution to upgrading Node dependencies across the tree in a timely > manner in the face of security updates. Looking forward to hearing more. > Thanks for sharing the nodesecurity.io <http://nodesecurity.io> service > -- I'll read more as I add the section. There a few other services like that (e.g., Snyk, SourceClear), I just happen to know NSP best because I've used it at previous companies. Peter
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-builds mailing list dev-builds@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-builds