Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
> Quoting Xavier (2018-11-27 14:00:42)
>> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
>>> Hi Xavier and Paolo,
>>>
>>> Please allow me to highlight this security-related detail:
>>>
>>> Quoting Xavier (2018-11-26 16:29:32)
>>>> Embedding components without following them may be a lack of security. 
>>>> I think we should have a policy for embedding:
>>>>  - components without major risks   => not used in version
>>>>  - components that must be followed => declared as "group" in
>>>>    debian/watch
>>>>  - components that must be followed and used in many other packages
>>>>    => packaged separately
>>>
>>> Quoting Paolo Greppi (2018-11-27 10:52:37)
>>>> With yesterday's news about the event-stream node module being pwned: 
>>>> https://github.com/dominictarr/event-stream/issues/116
>>>> the importance of these matters should be clear to anyone.
>>>> Probably there is no component "without major risks", and even if it 
>>>> existed, it would be unfair to lay upon the busy maintainer the task 
>>>> of deciding if it is risky or not.
>>>
>>> Thanks to _both_ of you (and others in the thread) for all your work 
>>> tackling these issues.
>>>
>>> My point here is *not* to point fingers, but to emphasize an important 
>>> aspect of our task as (re)distributors of code: Ensure code integrity 
>>> towards our users.
>>>
>>>
>>>  - Jonas
>>
>> Thanks, so I propose this policy update - please review this:
>>  - components used only during build => not used in version
>>    (except if they inject some code)
>>  - if upstream version isn't locked on dependencies (see Jérémy remark)
>>    [or if upstream isn't serious?]:
>>    * very little component => not used in version
>>    * components that must be followed and maybe used in many other
>>      packages              => packaged separately
>>    * other components      => declared as "group" in debian/watch
> 
> Sorry, I don't understand: Why not track code used during build?
> 
> Seems you propose to systematically ignore potential upstream bugfixes.
> 
> 
>  - Jonas

I was thinking to modules used to generate documentation, to test,... So
even if there is a security issue in them, risk doesn't exist in
published binary

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to