Hi Adam Thompson schrieb am 09.02.2023, 8:13 +0000: >On Wed, Feb 08, 2023 at 05:33:03AM -0500, Karl Dahlke wrote: >> I don't understand why there would be security concerns with quickjs. It is >> a language interpreter. It either works or it doesn't. All the security >> concerns fall on edbrowse, which is already packaged in several distros. > >To provide a little more context, whereas adding an additional interpreter >does create an additional package requiring security support, it is no more >than any other library as far as its integration with Edbrowse. We're a lot >less js-centric in terms of our browsing engine than other browsers and >Quickjs is a lot more of a pure interpreter than more browser-integrated js >engines, at least that's how it appears.
Thanks for the context and your clarifications. My intent has not been to enforce any decision or to criticise what is being done. I know that the developer base of Edbrowse is small and I am working in similar projects to know the maintenance burden of dependencies. This is exactly why I brought this up: understanding the rationale behind the decision. However, I still ask for a bit more understanding for the Debian view, as the Security team needs to know about QuickJS (among more than 38000 other packages). QA is taken seriously, so my e-mail is just a step in that process :-). I'll take your arguments to the security team and let's see where it goes. It might well be that QuickJS is soon in Debian with the arguments made. Thanks Sebastian
signature.asc
Description: PGP signature
