Hi, For performance reasons related to boot speed on our platform, today I ported polkit to use Duktape. I recently got pointed to a post that said for security reasons, it's unlikely to see this land, which is a bit disappointing.
Out of curiosity, what would the threat model be here? How would an attacker put bad input into the JS engine to be exploited by a ruleset? Having been a maintainer of gjs alongside Colin, I know first-hand what it is to work with the mozjs API. Mozilla is *not* focused on embedders, but instead performance and ES6 compliance, which we turn off inside polkit. As such, Mozilla is also not going to release security fixes for js185, js17, js24, etc. When a security bug is found, it basically means we do a wholesale port to the new API, and only after we chase down a guy who can roll a new tarball. I think duktape, which is actively maintained, which has active standalone and security releases, and is focused on embedding, makes for a much better choice for a system like polkit. Anyway, since I already did the work, might as well publish it. The branch with changes is here: https://github.com/magcius/polkit/commits/duktape -- Jasper _______________________________________________ polkit-devel mailing list polkit-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/polkit-devel
