Le 27/11/2018 à 13:47, Xavier a écrit : > Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit : >> Hi Xavier and Paolo, >> >> Please allow me to highlight this security-related detail: >> >> Quoting Xavier (2018-11-26 16:29:32) >>> Embedding components without following them may be a lack of security. >>> I think we should have a policy for embedding: >>> - components without major risks => not used in version >>> - components that must be followed => declared as "group" in >>> debian/watch >>> - components that must be followed and used in many other packages >>> => packaged separately >> >> Quoting Paolo Greppi (2018-11-27 10:52:37) >>> With yesterday's news about the event-stream node module being pwned: >>> https://github.com/dominictarr/event-stream/issues/116 >>> the importance of these matters should be clear to anyone. >>> Probably there is no component "without major risks", and even if it >>> existed, it would be unfair to lay upon the busy maintainer the task >>> of deciding if it is risky or not. >> >> Thanks to _both_ of you (and others in the thread) for all your work >> tackling these issues. >> >> My point here is *not* to point fingers, but to emphasize an important >> aspect of our task as (re)distributors of code: Ensure code integrity >> towards our users. >> >> >> - Jonas > > Thanks, so I propose this policy update - please review this: > - components used only during build => not used in version > (except if they inject some code) > - if upstream version isn't locked on dependencies (see Jérémy remark) > [or if upstream isn't serious?]: > * very little component => not used in version > * components that must be followed and maybe used in many other > packages => packaged separately > * other components => declared as "group" in debian/watch > > Sharing policy (components published via debian/control "Provides:") - > please review this: > - components used only during build => no > - components locked in an too oldest version => no [needs to patch code > to replace "require('x')" by "require('main_mod/x/index.js')" and to > install this component in /usr.../main_mod/x]. Maybe a better way? > - components installed in main node_modules => published > > > Example with node-mongodb: > - mongodb-core => group + published > - bson => group + not published (locked to 1.1.0 while upstream > published a 4.0.0, NB: same author so > less security risk) > - require_optional => not grouped + not published (simple package that > avoid failure on > "require" to an > optional module: > try/catch) > > Maybe a "debian/README.source" might be required for the DD to explain > his choices (lintian error if missing). > > I think also that dak should redirect an upload to NEW queue when a new > component is added, at least in version (like every time a new binary > package is added) > > Regards, > Xavier
Another problem to keep in mind, imagine node-mongodb published "require_optional" or "bson" in /usr/lib/nodejs or ,/usr/lib/node_modules. Then every module who wants to use require_optional will depends on node-mongodb driver! We must evaluate this point before publishing a component and so lock /usr/lib/nodejs/<name> directory, to decide if there is not too many unwanted package installed. (NB: I will upload a new version of node-mongodb, consistent with the policy when it will be stable) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel