Re: [Pkg-javascript-devel] Draft to embed more than one Node module in a Debian package
On Thu, Sep 13, 2018 at 11:59:20AM +0200, Xavier wrote: > Ref: > > Hi all, > > Ftpmasters want to reduce node packages in NEW queue [1]. Extract: > > "node packages are rather small and often consist only of a few lines > of code. From my point of view it is very unlikely that such packages > will change over time, so their code will remain constant forever. > More likely upstreams will add new features and pay no attention to > backward compatible APIs. > > In the node ecosystem everything is fine. Their developers use carets > or tildes as dependency operators and just depened on the version of > the API they really need. > > In Debian such packages basically create two problems. They bloat the > packages file, which prolongs the process of installing or updating > packages. Further Debian only allows packages with one, the latest, > version in the archive. So uploading packages with the newer API would > make packages unusable, that still depend on the older API. Usually > this is not recognized and suddenly packages in the archive won't work > anymore. > One could introduce versions within package names, but this would just > multiply the number of node packages." > ... > > After a long discussion in JS team, I built a Wiki draft [2] and I would > like to have an opinion of Security Team before continuing in this way. I see the general direction, but I think this won't fully solve the actual problems we're seeing with applications using nodejs modules. We need to look at this from the view of the web applications to be packaged, not from the view of individual packages. Dealing with the bundles on the packages level is only part of the problem, though. This can only be made manageable with additional policy/archive changes, basically what I outlined at https://lists.debian.org/debian-devel/2018/02/msg00354.html before. So I'd encourage you to extend/generalise this (the same problem is also applicable to Ruby packages to some extent) so that it's ready for the buster release. Cheers, Moritz -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Draft to embed more than one Node module in a Debian package
Le 18/09/2018 à 21:08, Moritz Mühlenhoff a écrit : > On Thu, Sep 13, 2018 at 11:59:20AM +0200, Xavier wrote: >> Ref: >> >> Hi all, >> >> Ftpmasters want to reduce node packages in NEW queue [1]. Extract: >> >> ... >> >> After a long discussion in JS team, I built a Wiki draft [2] and I would >> like to have an opinion of Security Team before continuing in this way. > > I see the general direction, but I think this won't fully solve the actual > problems we're seeing with applications using nodejs modules. > > We need to look at this from the view of the web applications to be packaged, > not from the view of individual packages. > > Dealing with the bundles on the packages level is only part of the problem, > though. This can only be made manageable with additional policy/archive > changes, basically what I outlined at > https://lists.debian.org/debian-devel/2018/02/msg00354.html before. > > So I'd encourage you to extend/generalise this (the same problem is also > applicable to Ruby packages to some extent) so that it's ready for the > buster release. > > Cheers, > Moritz Hello Moritz, thanks for this feedback. The JS policy could filter/accept packages if they match one rule: - web app and its main dependencies (other embedded) - "driver": LDAP/SQL connectors,... especially if they are linked to a C library - main JS frameworks (bootstrap, vue.js, jQuery,...) JS-Team / Ftpmasters: any advice on this ? -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Draft to embed more than one Node module in a Debian package
Le 14/09/2018 à 14:09, Yves-Alexis Perez a écrit : > On Thu, 2018-09-13 at 11:59 +0200, Xavier wrote: >> After a long discussion in JS team, I built a Wiki draft [2] and I would >> like to have an opinion of Security Team before continuing in this way. > > Hi Xavier, > > could you elaborate on the precise impact for security updates? If I > understand correctly, what you want is to ship multiple upstream sources in > one Debian source package? Meaning a security issue in any one of the embedded > source would mean shipping a DSA for the whole? > > Regards, Hi Yves-Alexis, this is the goal of the little "policy": providing all packages using "Provides:" will avoid having the same module embedded in more than one package. So DSA will apply for only one package. If embedded module is used only during tests, it can be omitted. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Draft to embed more than one Node module in a Debian package
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, 2018-09-13 at 11:59 +0200, Xavier wrote: > After a long discussion in JS team, I built a Wiki draft [2] and I would > like to have an opinion of Security Team before continuing in this way. Hi Xavier, could you elaborate on the precise impact for security updates? If I understand correctly, what you want is to ship multiple upstream sources in one Debian source package? Meaning a security issue in any one of the embedded source would mean shipping a DSA for the whole? Regards, - -- Yves-Alexis -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlubpP8ACgkQ3rYcyPpX RFsu+Qf+L4/vUbK1Jt/JdhwHza2WFrG0bF8Xp9RS18q5vwC6KRa6m2e7X//BBasA P5dAt0WccfC2GhiA5HyT00TxGJ9bDnIbcjvf57s1bWbiJMjEO9cHCtWudwdUqu0W pSX6KCFSpiP/vqdxi8uQU/uD7YUz1XecNyy5v6MFX+gh1LYfE2U0fD95fjsnIVWT 3NGy/82qwkb4yKzk/LpgFcrrIMcoX/u2n/2ucg7HdiEaBByxLTLhTz9P5etO0YpO pkYYOjSD+uVwfp+JtXORVVnZZGRrmJF1y+jjX1uvGARMSXCCwIEJLineKfvgGeYl maM3Wre/IgwGlOqEgowXxFnd48qnBg== =qnRx -END PGP SIGNATURE- -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
