Quoting Xavier (2018-11-27 14:00:42) > Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit : > > Hi Xavier and Paolo, > > > > Please allow me to highlight this security-related detail: > > > > Quoting Xavier (2018-11-26 16:29:32) > >> Embedding components without following them may be a lack of security. > >> I think we should have a policy for embedding: > >> - components without major risks => not used in version > >> - components that must be followed => declared as "group" in > >> debian/watch > >> - components that must be followed and used in many other packages > >> => packaged separately > > > > Quoting Paolo Greppi (2018-11-27 10:52:37) > >> With yesterday's news about the event-stream node module being pwned: > >> https://github.com/dominictarr/event-stream/issues/116 > >> the importance of these matters should be clear to anyone. > >> Probably there is no component "without major risks", and even if it > >> existed, it would be unfair to lay upon the busy maintainer the task > >> of deciding if it is risky or not. > > > > Thanks to _both_ of you (and others in the thread) for all your work > > tackling these issues. > > > > My point here is *not* to point fingers, but to emphasize an important > > aspect of our task as (re)distributors of code: Ensure code integrity > > towards our users. > > > > > > - Jonas > > Thanks, so I propose this policy update - please review this: > - components used only during build => not used in version > (except if they inject some code) > - if upstream version isn't locked on dependencies (see Jérémy remark) > [or if upstream isn't serious?]: > * very little component => not used in version > * components that must be followed and maybe used in many other > packages => packaged separately > * other components => declared as "group" in debian/watch
Sorry, I don't understand: Why not track code used during build? Seems you propose to systematically ignore potential upstream bugfixes. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel