Re: [Pkg-javascript-devel] components without major risks

[Ross Gammon]

On 11/27/18 1:47 PM, Xavier wrote:
> Maybe a "debian/README.source" might be required for the DD to explain
> his choices (lintian error if missing).

+1

This is good practice anytime we add or subtract from the upstream
tarball. Otherwise it is hard for other team members to help out later.


-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Xavier]

Le 27/11/2018 à 15:48, Bastien ROUCARIES a écrit :
> On Tue, Nov 27, 2018 at 3:45 PM Xavier  wrote:
>>
>> Le 27/11/2018 à 15:33, Jonas Smedegaard a écrit :
>>> Quoting Xavier (2018-11-27 15:22:10)
 Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
> Quoting Xavier (2018-11-27 14:00:42)
>> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
>>> Hi Xavier and Paolo,
>>>
>>> Please allow me to highlight this security-related detail:
>>>
>>> Quoting Xavier (2018-11-26 16:29:32)
 Embedding components without following them may be a lack of security.
 I think we should have a policy for embedding:
  - components without major risks   => not used in version
  - components that must be followed => declared as "group" in
debian/watch
  - components that must be followed and used in many other packages
=> packaged separately
>>>
>>> Quoting Paolo Greppi (2018-11-27 10:52:37)
 With yesterday's news about the event-stream node module being pwned:
 https://github.com/dominictarr/event-stream/issues/116
 the importance of these matters should be clear to anyone.
 Probably there is no component "without major risks", and even if it
 existed, it would be unfair to lay upon the busy maintainer the task
 of deciding if it is risky or not.
>>>
>>> Thanks to _both_ of you (and others in the thread) for all your work
>>> tackling these issues.
>>>
>>> My point here is *not* to point fingers, but to emphasize an important
>>> aspect of our task as (re)distributors of code: Ensure code integrity
>>> towards our users.
>>>
>>>
>>>  - Jonas
>>
>> Thanks, so I propose this policy update - please review this:
>>  - components used only during build => not used in version
>>(except if they inject some code)
>>  - if upstream version isn't locked on dependencies (see Jérémy remark)
>>[or if upstream isn't serious?]:
>>* very little component => not used in version
>>* components that must be followed and maybe used in many other
>>  packages  => packaged separately
>>* other components  => declared as "group" in debian/watch
>
> Sorry, I don't understand: Why not track code used during build?
>
> Seems you propose to systematically ignore potential upstream bugfixes.
>
>
>  - Jonas

 I was thinking to modules used to generate documentation, to test,... So
 even if there is a security issue in them, risk doesn't exist in
 published binary
>>>
>>> I think it is dangerous to try judge systematically and automated with
>>> no qualitative input what has security implications and what does not!
>>>
>>>  - Jonas
>>
>> You're right but this has some other cons (version string length,...).
>> Today, components are allowed without any version following. So this
>> point should also be inserted in Debian policy, shouldn't it ?
> 
> Components were created for packaging multiple tar of same project.
> See cernlib package and cry for instance

I updated https://wiki.debian.org/Javascript/GroupSourcesTutorial
Please review it:
 - format : english to review (this is not my mother language)
 - content: I tried to wrote the 2 policies

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Xavier]

Le 27/11/2018 à 15:24, Jérémy Lal a écrit :
> 
> 
> Le mar. 27 nov. 2018 à 15:22, Xavier  > a écrit :
> 
> Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
> > Quoting Xavier (2018-11-27 14:00:42)
> >> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> >>> Hi Xavier and Paolo,
> >>>
> >>> Please allow me to highlight this security-related detail:
> >>>
> >>> Quoting Xavier (2018-11-26 16:29:32)
>  Embedding components without following them may be a lack of
> security.
>  I think we should have a policy for embedding:
>   - components without major risks   => not used in version
>   - components that must be followed => declared as "group" in
>     debian/watch
>   - components that must be followed and used in many other packages
>     => packaged separately
> >>>
> >>> Quoting Paolo Greppi (2018-11-27 10:52:37)
>  With yesterday's news about the event-stream node module being
> pwned:
>  https://github.com/dominictarr/event-stream/issues/116
>  the importance of these matters should be clear to anyone.
>  Probably there is no component "without major risks", and even
> if it
>  existed, it would be unfair to lay upon the busy maintainer the
> task
>  of deciding if it is risky or not.
> >>>
> >>> Thanks to _both_ of you (and others in the thread) for all your
> work
> >>> tackling these issues.
> >>>
> >>> My point here is *not* to point fingers, but to emphasize an
> important
> >>> aspect of our task as (re)distributors of code: Ensure code
> integrity
> >>> towards our users.
> >>>
> >>>
> >>>  - Jonas
> >>
> >> Thanks, so I propose this policy update - please review this:
> >>  - components used only during build => not used in version
> >>    (except if they inject some code)
> >>  - if upstream version isn't locked on dependencies (see Jérémy
> remark)
> >>    [or if upstream isn't serious?]:
> >>    * very little component => not used in version
> >>    * components that must be followed and maybe used in many other
> >>      packages              => packaged separately
> >>    * other components      => declared as "group" in debian/watch
> >
> > Sorry, I don't understand: Why not track code used during build?
> >
> > Seems you propose to systematically ignore potential upstream
> bugfixes.
> >
> >
> >  - Jonas
> 
> I was thinking to modules used to generate documentation, to test,... So
> even if there is a security issue in them, risk doesn't exist in
> published binary
> 
> 
> If there's something able to inject code in documentation (especially in
> html) it's a big issue...

Not directly but it can affect building machine in the worst case (a
corrupted upstream doc which uses a buffer overflow?)

I think that a Debian policy update should be proposed to fix possible
misuse of components

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Bastien ROUCARIES]

On Tue, Nov 27, 2018 at 3:45 PM Xavier  wrote:
>
> Le 27/11/2018 à 15:33, Jonas Smedegaard a écrit :
> > Quoting Xavier (2018-11-27 15:22:10)
> >> Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
> >>> Quoting Xavier (2018-11-27 14:00:42)
>  Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> > Hi Xavier and Paolo,
> >
> > Please allow me to highlight this security-related detail:
> >
> > Quoting Xavier (2018-11-26 16:29:32)
> >> Embedding components without following them may be a lack of security.
> >> I think we should have a policy for embedding:
> >>  - components without major risks   => not used in version
> >>  - components that must be followed => declared as "group" in
> >>debian/watch
> >>  - components that must be followed and used in many other packages
> >>=> packaged separately
> >
> > Quoting Paolo Greppi (2018-11-27 10:52:37)
> >> With yesterday's news about the event-stream node module being pwned:
> >> https://github.com/dominictarr/event-stream/issues/116
> >> the importance of these matters should be clear to anyone.
> >> Probably there is no component "without major risks", and even if it
> >> existed, it would be unfair to lay upon the busy maintainer the task
> >> of deciding if it is risky or not.
> >
> > Thanks to _both_ of you (and others in the thread) for all your work
> > tackling these issues.
> >
> > My point here is *not* to point fingers, but to emphasize an important
> > aspect of our task as (re)distributors of code: Ensure code integrity
> > towards our users.
> >
> >
> >  - Jonas
> 
>  Thanks, so I propose this policy update - please review this:
>   - components used only during build => not used in version
> (except if they inject some code)
>   - if upstream version isn't locked on dependencies (see Jérémy remark)
> [or if upstream isn't serious?]:
> * very little component => not used in version
> * components that must be followed and maybe used in many other
>   packages  => packaged separately
> * other components  => declared as "group" in debian/watch
> >>>
> >>> Sorry, I don't understand: Why not track code used during build?
> >>>
> >>> Seems you propose to systematically ignore potential upstream bugfixes.
> >>>
> >>>
> >>>  - Jonas
> >>
> >> I was thinking to modules used to generate documentation, to test,... So
> >> even if there is a security issue in them, risk doesn't exist in
> >> published binary
> >
> > I think it is dangerous to try judge systematically and automated with
> > no qualitative input what has security implications and what does not!
> >
> >  - Jonas
>
> You're right but this has some other cons (version string length,...).
> Today, components are allowed without any version following. So this
> point should also be inserted in Debian policy, shouldn't it ?

Components were created for packaging multiple tar of same project.
See cernlib package and cry for instance
>
> --
> Pkg-javascript-devel mailing list
> Pkg-javascript-devel@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Xavier]

Le 27/11/2018 à 15:33, Jonas Smedegaard a écrit :
> Quoting Xavier (2018-11-27 15:22:10)
>> Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
>>> Quoting Xavier (2018-11-27 14:00:42)
 Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> Hi Xavier and Paolo,
>
> Please allow me to highlight this security-related detail:
>
> Quoting Xavier (2018-11-26 16:29:32)
>> Embedding components without following them may be a lack of security. 
>> I think we should have a policy for embedding:
>>  - components without major risks   => not used in version
>>  - components that must be followed => declared as "group" in
>>debian/watch
>>  - components that must be followed and used in many other packages
>>=> packaged separately
>
> Quoting Paolo Greppi (2018-11-27 10:52:37)
>> With yesterday's news about the event-stream node module being pwned: 
>> https://github.com/dominictarr/event-stream/issues/116
>> the importance of these matters should be clear to anyone.
>> Probably there is no component "without major risks", and even if it 
>> existed, it would be unfair to lay upon the busy maintainer the task 
>> of deciding if it is risky or not.
>
> Thanks to _both_ of you (and others in the thread) for all your work 
> tackling these issues.
>
> My point here is *not* to point fingers, but to emphasize an important 
> aspect of our task as (re)distributors of code: Ensure code integrity 
> towards our users.
>
>
>  - Jonas

 Thanks, so I propose this policy update - please review this:
  - components used only during build => not used in version
(except if they inject some code)
  - if upstream version isn't locked on dependencies (see Jérémy remark)
[or if upstream isn't serious?]:
* very little component => not used in version
* components that must be followed and maybe used in many other
  packages  => packaged separately
* other components  => declared as "group" in debian/watch
>>>
>>> Sorry, I don't understand: Why not track code used during build?
>>>
>>> Seems you propose to systematically ignore potential upstream bugfixes.
>>>
>>>
>>>  - Jonas
>>
>> I was thinking to modules used to generate documentation, to test,... So
>> even if there is a security issue in them, risk doesn't exist in
>> published binary
> 
> I think it is dangerous to try judge systematically and automated with 
> no qualitative input what has security implications and what does not!
> 
>  - Jonas

You're right but this has some other cons (version string length,...).
Today, components are allowed without any version following. So this
point should also be inserted in Debian policy, shouldn't it ?

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Jérémy Lal]

Le mar. 27 nov. 2018 à 15:22, Xavier  a écrit :

> Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
> > Quoting Xavier (2018-11-27 14:00:42)
> >> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> >>> Hi Xavier and Paolo,
> >>>
> >>> Please allow me to highlight this security-related detail:
> >>>
> >>> Quoting Xavier (2018-11-26 16:29:32)
>  Embedding components without following them may be a lack of
> security.
>  I think we should have a policy for embedding:
>   - components without major risks   => not used in version
>   - components that must be followed => declared as "group" in
> debian/watch
>   - components that must be followed and used in many other packages
> => packaged separately
> >>>
> >>> Quoting Paolo Greppi (2018-11-27 10:52:37)
>  With yesterday's news about the event-stream node module being pwned:
>  https://github.com/dominictarr/event-stream/issues/116
>  the importance of these matters should be clear to anyone.
>  Probably there is no component "without major risks", and even if it
>  existed, it would be unfair to lay upon the busy maintainer the task
>  of deciding if it is risky or not.
> >>>
> >>> Thanks to _both_ of you (and others in the thread) for all your work
> >>> tackling these issues.
> >>>
> >>> My point here is *not* to point fingers, but to emphasize an important
> >>> aspect of our task as (re)distributors of code: Ensure code integrity
> >>> towards our users.
> >>>
> >>>
> >>>  - Jonas
> >>
> >> Thanks, so I propose this policy update - please review this:
> >>  - components used only during build => not used in version
> >>(except if they inject some code)
> >>  - if upstream version isn't locked on dependencies (see Jérémy remark)
> >>[or if upstream isn't serious?]:
> >>* very little component => not used in version
> >>* components that must be followed and maybe used in many other
> >>  packages  => packaged separately
> >>* other components  => declared as "group" in debian/watch
> >
> > Sorry, I don't understand: Why not track code used during build?
> >
> > Seems you propose to systematically ignore potential upstream bugfixes.
> >
> >
> >  - Jonas
>
> I was thinking to modules used to generate documentation, to test,... So
> even if there is a security issue in them, risk doesn't exist in
> published binary
>

If there's something able to inject code in documentation (especially in
html) it's a big issue...

Jérémy
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Bastien ROUCARIES]

On Tue, Nov 27, 2018 at 3:33 PM Jonas Smedegaard  wrote:
>
> Quoting Xavier (2018-11-27 15:22:10)
> > Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
> > > Quoting Xavier (2018-11-27 14:00:42)
> > >> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> > >>> Hi Xavier and Paolo,
> > >>>
> > >>> Please allow me to highlight this security-related detail:
> > >>>
> > >>> Quoting Xavier (2018-11-26 16:29:32)
> >  Embedding components without following them may be a lack of security.
> >  I think we should have a policy for embedding:
> >   - components without major risks   => not used in version
> >   - components that must be followed => declared as "group" in
> > debian/watch
> >   - components that must be followed and used in many other packages
> > => packaged separately
> > >>>
> > >>> Quoting Paolo Greppi (2018-11-27 10:52:37)
> >  With yesterday's news about the event-stream node module being pwned:
> >  https://github.com/dominictarr/event-stream/issues/116
> >  the importance of these matters should be clear to anyone.
> >  Probably there is no component "without major risks", and even if it
> >  existed, it would be unfair to lay upon the busy maintainer the task
> >  of deciding if it is risky or not.
> > >>>
> > >>> Thanks to _both_ of you (and others in the thread) for all your work
> > >>> tackling these issues.
> > >>>
> > >>> My point here is *not* to point fingers, but to emphasize an important
> > >>> aspect of our task as (re)distributors of code: Ensure code integrity
> > >>> towards our users.
> > >>>
> > >>>
> > >>>  - Jonas
> > >>
> > >> Thanks, so I propose this policy update - please review this:
> > >>  - components used only during build => not used in version
> > >>(except if they inject some code)
> > >>  - if upstream version isn't locked on dependencies (see Jérémy remark)
> > >>[or if upstream isn't serious?]:
> > >>* very little component => not used in version
> > >>* components that must be followed and maybe used in many other
> > >>  packages  => packaged separately
> > >>* other components  => declared as "group" in debian/watch
> > >
> > > Sorry, I don't understand: Why not track code used during build?
> > >
> > > Seems you propose to systematically ignore potential upstream bugfixes.
> > >
> > >
> > >  - Jonas
> >
> > I was thinking to modules used to generate documentation, to test,... So
> > even if there is a security issue in them, risk doesn't exist in
> > published binary
>
> I think it is dangerous to try judge systematically and automated with
> no qualitative input what has security implications and what does not!

I agree here... No more node_modules inside package. At least it will
be fixed once

>
>  - Jonas
>
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private
> --
> Pkg-javascript-devel mailing list
> Pkg-javascript-devel@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Jonas Smedegaard]

Quoting Xavier (2018-11-27 15:22:10)
> Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
> > Quoting Xavier (2018-11-27 14:00:42)
> >> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> >>> Hi Xavier and Paolo,
> >>>
> >>> Please allow me to highlight this security-related detail:
> >>>
> >>> Quoting Xavier (2018-11-26 16:29:32)
>  Embedding components without following them may be a lack of security. 
>  I think we should have a policy for embedding:
>   - components without major risks   => not used in version
>   - components that must be followed => declared as "group" in
> debian/watch
>   - components that must be followed and used in many other packages
> => packaged separately
> >>>
> >>> Quoting Paolo Greppi (2018-11-27 10:52:37)
>  With yesterday's news about the event-stream node module being pwned: 
>  https://github.com/dominictarr/event-stream/issues/116
>  the importance of these matters should be clear to anyone.
>  Probably there is no component "without major risks", and even if it 
>  existed, it would be unfair to lay upon the busy maintainer the task 
>  of deciding if it is risky or not.
> >>>
> >>> Thanks to _both_ of you (and others in the thread) for all your work 
> >>> tackling these issues.
> >>>
> >>> My point here is *not* to point fingers, but to emphasize an important 
> >>> aspect of our task as (re)distributors of code: Ensure code integrity 
> >>> towards our users.
> >>>
> >>>
> >>>  - Jonas
> >>
> >> Thanks, so I propose this policy update - please review this:
> >>  - components used only during build => not used in version
> >>(except if they inject some code)
> >>  - if upstream version isn't locked on dependencies (see Jérémy remark)
> >>[or if upstream isn't serious?]:
> >>* very little component => not used in version
> >>* components that must be followed and maybe used in many other
> >>  packages  => packaged separately
> >>* other components  => declared as "group" in debian/watch
> > 
> > Sorry, I don't understand: Why not track code used during build?
> > 
> > Seems you propose to systematically ignore potential upstream bugfixes.
> > 
> > 
> >  - Jonas
> 
> I was thinking to modules used to generate documentation, to test,... So
> even if there is a security issue in them, risk doesn't exist in
> published binary

I think it is dangerous to try judge systematically and automated with 
no qualitative input what has security implications and what does not!


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Xavier]

Le 27/11/2018 à 15:22, Xavier a écrit :
> Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
>> Quoting Xavier (2018-11-27 14:00:42)
>>> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
 Hi Xavier and Paolo,

 Please allow me to highlight this security-related detail:

 Quoting Xavier (2018-11-26 16:29:32)
> Embedding components without following them may be a lack of security. 
> I think we should have a policy for embedding:
>  - components without major risks   => not used in version
>  - components that must be followed => declared as "group" in
>debian/watch
>  - components that must be followed and used in many other packages
>=> packaged separately

 Quoting Paolo Greppi (2018-11-27 10:52:37)
> With yesterday's news about the event-stream node module being pwned: 
> https://github.com/dominictarr/event-stream/issues/116
> the importance of these matters should be clear to anyone.
> Probably there is no component "without major risks", and even if it 
> existed, it would be unfair to lay upon the busy maintainer the task 
> of deciding if it is risky or not.

 Thanks to _both_ of you (and others in the thread) for all your work 
 tackling these issues.

 My point here is *not* to point fingers, but to emphasize an important 
 aspect of our task as (re)distributors of code: Ensure code integrity 
 towards our users.


  - Jonas
>>>
>>> Thanks, so I propose this policy update - please review this:
>>>  - components used only during build => not used in version
>>>(except if they inject some code)
>>>  - if upstream version isn't locked on dependencies (see Jérémy remark)
>>>[or if upstream isn't serious?]:
>>>* very little component => not used in version
>>>* components that must be followed and maybe used in many other
>>>  packages  => packaged separately
>>>* other components  => declared as "group" in debian/watch
>>
>> Sorry, I don't understand: Why not track code used during build?
>>
>> Seems you propose to systematically ignore potential upstream bugfixes.
>>
>>
>>  - Jonas
> 
> I was thinking to modules used to generate documentation, to test,... So
> even if there is a security issue in them, risk doesn't exist in
> published binary

This can avoid having a too long version string. We talked about version
summarization earlier, but it had many cons

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Xavier]

Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit :
> Quoting Xavier (2018-11-27 14:00:42)
>> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
>>> Hi Xavier and Paolo,
>>>
>>> Please allow me to highlight this security-related detail:
>>>
>>> Quoting Xavier (2018-11-26 16:29:32)
 Embedding components without following them may be a lack of security. 
 I think we should have a policy for embedding:
  - components without major risks   => not used in version
  - components that must be followed => declared as "group" in
debian/watch
  - components that must be followed and used in many other packages
=> packaged separately
>>>
>>> Quoting Paolo Greppi (2018-11-27 10:52:37)
 With yesterday's news about the event-stream node module being pwned: 
 https://github.com/dominictarr/event-stream/issues/116
 the importance of these matters should be clear to anyone.
 Probably there is no component "without major risks", and even if it 
 existed, it would be unfair to lay upon the busy maintainer the task 
 of deciding if it is risky or not.
>>>
>>> Thanks to _both_ of you (and others in the thread) for all your work 
>>> tackling these issues.
>>>
>>> My point here is *not* to point fingers, but to emphasize an important 
>>> aspect of our task as (re)distributors of code: Ensure code integrity 
>>> towards our users.
>>>
>>>
>>>  - Jonas
>>
>> Thanks, so I propose this policy update - please review this:
>>  - components used only during build => not used in version
>>(except if they inject some code)
>>  - if upstream version isn't locked on dependencies (see Jérémy remark)
>>[or if upstream isn't serious?]:
>>* very little component => not used in version
>>* components that must be followed and maybe used in many other
>>  packages  => packaged separately
>>* other components  => declared as "group" in debian/watch
> 
> Sorry, I don't understand: Why not track code used during build?
> 
> Seems you propose to systematically ignore potential upstream bugfixes.
> 
> 
>  - Jonas

I was thinking to modules used to generate documentation, to test,... So
even if there is a security issue in them, risk doesn't exist in
published binary

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Jonas Smedegaard]

Quoting Xavier (2018-11-27 14:00:42)
> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> > Hi Xavier and Paolo,
> > 
> > Please allow me to highlight this security-related detail:
> > 
> > Quoting Xavier (2018-11-26 16:29:32)
> >> Embedding components without following them may be a lack of security. 
> >> I think we should have a policy for embedding:
> >>  - components without major risks   => not used in version
> >>  - components that must be followed => declared as "group" in
> >>debian/watch
> >>  - components that must be followed and used in many other packages
> >>=> packaged separately
> > 
> > Quoting Paolo Greppi (2018-11-27 10:52:37)
> >> With yesterday's news about the event-stream node module being pwned: 
> >> https://github.com/dominictarr/event-stream/issues/116
> >> the importance of these matters should be clear to anyone.
> >> Probably there is no component "without major risks", and even if it 
> >> existed, it would be unfair to lay upon the busy maintainer the task 
> >> of deciding if it is risky or not.
> > 
> > Thanks to _both_ of you (and others in the thread) for all your work 
> > tackling these issues.
> > 
> > My point here is *not* to point fingers, but to emphasize an important 
> > aspect of our task as (re)distributors of code: Ensure code integrity 
> > towards our users.
> > 
> > 
> >  - Jonas
> 
> Thanks, so I propose this policy update - please review this:
>  - components used only during build => not used in version
>(except if they inject some code)
>  - if upstream version isn't locked on dependencies (see Jérémy remark)
>[or if upstream isn't serious?]:
>* very little component => not used in version
>* components that must be followed and maybe used in many other
>  packages  => packaged separately
>* other components  => declared as "group" in debian/watch

Sorry, I don't understand: Why not track code used during build?

Seems you propose to systematically ignore potential upstream bugfixes.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Xavier]

Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> Hi Xavier and Paolo,
> 
> Please allow me to highlight this security-related detail:
> 
> Quoting Xavier (2018-11-26 16:29:32)
>> Embedding components without following them may be a lack of security. 
>> I think we should have a policy for embedding:
>>  - components without major risks   => not used in version
>>  - components that must be followed => declared as "group" in
>>debian/watch
>>  - components that must be followed and used in many other packages
>>=> packaged separately
> 
> Quoting Paolo Greppi (2018-11-27 10:52:37)
>> With yesterday's news about the event-stream node module being pwned: 
>> https://github.com/dominictarr/event-stream/issues/116
>> the importance of these matters should be clear to anyone.
>> Probably there is no component "without major risks", and even if it 
>> existed, it would be unfair to lay upon the busy maintainer the task 
>> of deciding if it is risky or not.
> 
> Thanks to _both_ of you (and others in the thread) for all your work 
> tackling these issues.
> 
> My point here is *not* to point fingers, but to emphasize an important 
> aspect of our task as (re)distributors of code: Ensure code integrity 
> towards our users.
> 
> 
>  - Jonas

Thanks, so I propose this policy update - please review this:
 - components used only during build => not used in version
   (except if they inject some code)
 - if upstream version isn't locked on dependencies (see Jérémy remark)
   [or if upstream isn't serious?]:
   * very little component => not used in version
   * components that must be followed and maybe used in many other
 packages  => packaged separately
   * other components  => declared as "group" in debian/watch

Sharing policy (components published via debian/control "Provides:") -
please review this:
 - components used only during build => no
 - components locked in an too oldest version => no [needs to patch code
   to replace "require('x')" by "require('main_mod/x/index.js')" and to
   install this component in /usr.../main_mod/x]. Maybe a better way?
 - components installed in main node_modules => published


Example with node-mongodb:
 - mongodb-core => group + published
 - bson => group + not published (locked to 1.1.0 while upstream
  published a 4.0.0, NB: same author so
  less security risk)
 - require_optional => not grouped + not published (simple package that
avoid failure on
"require" to an
optional module:
try/catch)

Maybe a "debian/README.source" might be required for the DD to explain
his choices (lintian error if missing).

I think also that dak should redirect an upload to NEW queue when a new
component is added, at least in version (like every time a new binary
package is added)

Regards,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Xavier]

Le 27/11/2018 à 13:47, Xavier a écrit :
> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
>> Hi Xavier and Paolo,
>>
>> Please allow me to highlight this security-related detail:
>>
>> Quoting Xavier (2018-11-26 16:29:32)
>>> Embedding components without following them may be a lack of security. 
>>> I think we should have a policy for embedding:
>>>  - components without major risks   => not used in version
>>>  - components that must be followed => declared as "group" in
>>>debian/watch
>>>  - components that must be followed and used in many other packages
>>>=> packaged separately
>>
>> Quoting Paolo Greppi (2018-11-27 10:52:37)
>>> With yesterday's news about the event-stream node module being pwned: 
>>> https://github.com/dominictarr/event-stream/issues/116
>>> the importance of these matters should be clear to anyone.
>>> Probably there is no component "without major risks", and even if it 
>>> existed, it would be unfair to lay upon the busy maintainer the task 
>>> of deciding if it is risky or not.
>>
>> Thanks to _both_ of you (and others in the thread) for all your work 
>> tackling these issues.
>>
>> My point here is *not* to point fingers, but to emphasize an important 
>> aspect of our task as (re)distributors of code: Ensure code integrity 
>> towards our users.
>>
>>
>>  - Jonas
> 
> Thanks, so I propose this policy update - please review this:
>  - components used only during build => not used in version
>(except if they inject some code)
>  - if upstream version isn't locked on dependencies (see Jérémy remark)
>[or if upstream isn't serious?]:
>* very little component => not used in version
>* components that must be followed and maybe used in many other
>  packages  => packaged separately
>* other components  => declared as "group" in debian/watch
> 
> Sharing policy (components published via debian/control "Provides:") -
> please review this:
>  - components used only during build => no
>  - components locked in an too oldest version => no [needs to patch code
>to replace "require('x')" by "require('main_mod/x/index.js')" and to
>install this component in /usr.../main_mod/x]. Maybe a better way?
>  - components installed in main node_modules => published
> 
> 
> Example with node-mongodb:
>  - mongodb-core => group + published
>  - bson => group + not published (locked to 1.1.0 while upstream
>   published a 4.0.0, NB: same author so
>   less security risk)
>  - require_optional => not grouped + not published (simple package that
> avoid failure on
> "require" to an
> optional module:
> try/catch)
> 
> Maybe a "debian/README.source" might be required for the DD to explain
> his choices (lintian error if missing).
> 
> I think also that dak should redirect an upload to NEW queue when a new
> component is added, at least in version (like every time a new binary
> package is added)
> 
> Regards,
> Xavier

Another problem to keep in mind, imagine node-mongodb published
"require_optional" or "bson" in /usr/lib/nodejs or
,/usr/lib/node_modules. Then every module who wants to use
require_optional will depends on node-mongodb driver! We must evaluate
this point before publishing a component and so lock
/usr/lib/nodejs/ directory, to decide if there is not too many
unwanted package installed.

(NB: I will upload a new version of node-mongodb, consistent with the
policy when it will be stable)

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] components without major risks

[Xavier]

Le 27/11/2018 à 13:47, Xavier a écrit :
> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
>> Hi Xavier and Paolo,
>>
>> Please allow me to highlight this security-related detail:
>>
>> Quoting Xavier (2018-11-26 16:29:32)
>>> Embedding components without following them may be a lack of security. 
>>> I think we should have a policy for embedding:
>>>  - components without major risks   => not used in version
>>>  - components that must be followed => declared as "group" in
>>>debian/watch
>>>  - components that must be followed and used in many other packages
>>>=> packaged separately
>>
>> Quoting Paolo Greppi (2018-11-27 10:52:37)
>>> With yesterday's news about the event-stream node module being pwned: 
>>> https://github.com/dominictarr/event-stream/issues/116
>>> the importance of these matters should be clear to anyone.
>>> Probably there is no component "without major risks", and even if it 
>>> existed, it would be unfair to lay upon the busy maintainer the task 
>>> of deciding if it is risky or not.
>>
>> Thanks to _both_ of you (and others in the thread) for all your work 
>> tackling these issues.
>>
>> My point here is *not* to point fingers, but to emphasize an important 
>> aspect of our task as (re)distributors of code: Ensure code integrity 
>> towards our users.
>>
>>
>>  - Jonas
> 
> Thanks, so I propose this policy update - please review this:
>  - components used only during build => not used in version
>(except if they inject some code)
>  - if upstream version isn't locked on dependencies (see Jérémy remark)
>[or if upstream isn't serious?]:
>* very little component => not used in version
>* components that must be followed and maybe used in many other
>  packages  => packaged separately
>* other components  => declared as "group" in debian/watch
> 
> Sharing policy (components published via debian/control "Provides:") -
> please review this:
>  - components used only during build => no
>  - components locked in an too oldest version => no [needs to patch code
>to replace "require('x')" by "require('main_mod/x/index.js')" and to
>install this component in /usr.../main_mod/x]. Maybe a better way?
>  - components installed in main node_modules => published
> 
> 
> Example with node-mongodb:
>  - mongodb-core => group + published
>  - bson => group + not published (locked to 1.1.0 while upstream
>   published a 4.0.0, NB: same author so
>   less security risk)
>  - require_optional => not grouped + not published (simple package that
> avoid failure on
> "require" to an
> optional module:
> try/catch)
> 
> Maybe a "debian/README.source" might be required for the DD to explain
> his choices (lintian error if missing).
> 
> I think also that dak should redirect an upload to NEW queue when a new
> component is added, at least in version (like every time a new binary
> package is added)
> 
> Regards,
> Xavier

Another problem to keep in mind, imagine node-mongodb published
"require_optional" or "bson" in /usr/lib/nodejs or
,/usr/lib/node_modules. Then every module who wants to use
require_optional will depends on node-mongodb driver! We must evaluate
this point before publishing a component and so lock
/usr/lib/nodejs/ directory, to decide if there is not too many
unwanted package installed.

(NB: I will upload a new version of node-mongodb, consistent with the
policy when it will be stable)

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] components without major risks

[Xavier]

Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit :
> Hi Xavier and Paolo,
> 
> Please allow me to highlight this security-related detail:
> 
> Quoting Xavier (2018-11-26 16:29:32)
>> Embedding components without following them may be a lack of security. 
>> I think we should have a policy for embedding:
>>  - components without major risks   => not used in version
>>  - components that must be followed => declared as "group" in
>>debian/watch
>>  - components that must be followed and used in many other packages
>>=> packaged separately
> 
> Quoting Paolo Greppi (2018-11-27 10:52:37)
>> With yesterday's news about the event-stream node module being pwned: 
>> https://github.com/dominictarr/event-stream/issues/116
>> the importance of these matters should be clear to anyone.
>> Probably there is no component "without major risks", and even if it 
>> existed, it would be unfair to lay upon the busy maintainer the task 
>> of deciding if it is risky or not.
> 
> Thanks to _both_ of you (and others in the thread) for all your work 
> tackling these issues.
> 
> My point here is *not* to point fingers, but to emphasize an important 
> aspect of our task as (re)distributors of code: Ensure code integrity 
> towards our users.
> 
> 
>  - Jonas

Thanks, so I propose this policy update - please review this:
 - components used only during build => not used in version
   (except if they inject some code)
 - if upstream version isn't locked on dependencies (see Jérémy remark)
   [or if upstream isn't serious?]:
   * very little component => not used in version
   * components that must be followed and maybe used in many other
 packages  => packaged separately
   * other components  => declared as "group" in debian/watch

Sharing policy (components published via debian/control "Provides:") -
please review this:
 - components used only during build => no
 - components locked in an too oldest version => no [needs to patch code
   to replace "require('x')" by "require('main_mod/x/index.js')" and to
   install this component in /usr.../main_mod/x]. Maybe a better way?
 - components installed in main node_modules => published


Example with node-mongodb:
 - mongodb-core => group + published
 - bson => group + not published (locked to 1.1.0 while upstream
  published a 4.0.0, NB: same author so
  less security risk)
 - require_optional => not grouped + not published (simple package that
avoid failure on
"require" to an
optional module:
try/catch)

Maybe a "debian/README.source" might be required for the DD to explain
his choices (lintian error if missing).

I think also that dak should redirect an upload to NEW queue when a new
component is added, at least in version (like every time a new binary
package is added)

Regards,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] components without major risks

[Jonas Smedegaard]

Hi Xaiver and Paolo,

Please allow me to highlight this security-related detail:

Quoting Xavier (2018-11-26 16:29:32)
> Embedding components without following them may be a lack of security. 
> I think we should have a policy for embedding:
>  - components without major risks   => not used in version
>  - components that must be followed => declared as "group" in
>debian/watch
>  - components that must be followed and used in many other packages
>=> packaged separately

Quoting Paolo Greppi (2018-11-27 10:52:37)
> With yesterday's news about the event-stream node module being pwned: 
> https://github.com/dominictarr/event-stream/issues/116
> the importance of these matters should be clear to anyone.
> Probably there is no component "without major risks", and even if it 
> existed, it would be unfair to lay upon the busy maintainer the task 
> of deciding if it is risky or not.

Thanks to _both_ of you (and others in the thread) for all your work 
tackling these issues.

My point here is *not* to point fingers, but to emphasize an important 
aspect of our task as (re)distributors of code: Ensure code integrity 
towards our users.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel