[Pkg-javascript-devel] Bug#831548: RM: mtasc -- ROM; obsoleted by newer standard web technologies
Control: severity -1 serious Control: severity 831553 normal Hi everyone, The buster cycle is the right time to remove mtasc from the Debian archive. It has been unmaintained in Debian and upstream for years. The web ecosystem is moving away from Flash towards standard web tech, which can now replace most use of Flash. Debian should encourage our upstreams to move towards standard web tech like HTML5 and JavaScript. Please talk to your upstreams about transitioning away from ActionScript 2 towards HTML5 JavaScript. If they need to still support Flash for some users, then they should switch to something like Haxe but they should not build Flash files by default. On Fri, 22 Dec 2017 17:29:50 -0500 Scott Kitterman wrote: > 15 months later all but one of those bugs is still open. Can you either work > with the maintainers to get them done or close this request until it's ripe > for processing. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Concerns about infrastructure for Alioth replacement
On Wed, Oct 18, 2017 at 2:13 PM, Alexander Wirt wrote: > Please don't get me wrong, but even if gitlab packages are recent tomorrow > (which I > don't think) we won't migrate. The work is done and we have all the things in > place to maintain them. So please do me a favour and don't mention alioth as > the reason. I note that the Debian security team doesn't support libv8, nodejs and the stack above it. https://sources.debian.net/src/debian-security-support/2017.06.02/security-support-limited/#L14 In my experience the JavaScript team doesn't appear to be following the nodesecurity.io security advisories. https://nodesecurity.io/advisories What is your plan for avoiding the security issues discovered in libv8/nodejs and gitlab-related node modules? -- bye, pabs https://wiki.debian.org/PaulWise -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#877977: RFP: node-web-ext -- build, run, and test web extensions
Package: wnpp Severity: wishlist X-Debbugs-CC: pkg-mozext-maintain...@lists.alioth.debian.org, pkg-javascript-devel@lists.alioth.debian.org, debian-de...@lists.debian.org * Package name: node-web-ext Version : 2.0.0 Upstream Author : Mozilla * URL : https://github.com/mozilla/web-ext * License : MPL-2.0 Programming Lang: JavaScript Description : build, run, and test web extensions This is useful for people wanting to create WebExtensions, which are becoming the only extension API for Firefox from version 57. I would guess that some WebExtensions will require it for building. https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Getting_started_with_web-ext -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#862712: node-brace-expansion: regular expression denial of service
Package: node-brace-expansion Version: 1.1.6-1 Severity: serious Tags: security There is a regular expression denial of service issue in node-brace-expansion <= 1.1.6. More details available here: https://nodesecurity.io/advisories/338 -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#831548: dojo: mtasc removal
Source: dojo Severity: normal I would like to remove mtasc from the Debian archive. It has been unmaintained in Debian and upstream for years. The web ecosystem is moving away from Flash towards standard web technologies, which can now replace most use of Flash. Debian should encourage our upstreams to move towards standard web technologies like HTML5 and JavaScript. Please talk to your upstreams about transitioning away from ActionScript 2 towards HTML5 JavaScript. If they need to still support Flash for some users, then they should switch to something like Haxe. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#716796: jQuery needs updating
On Sat, 13 Jul 2013 06:53:09 +1000 Jackson Doak wrote: > The current version of jQuenry in the debian repositories > (1.7.2+dfsg-2) is outdated. please update it to version 2.0.3. > http://blog.jquery.com/2013/07/03/jquery-1-10-2-and-2-0-3-released/ Now is exactly the right time to update jquery as we are at the beginning of the release cycle for stretch. I would suggest co-ordinating with any reverse dependencies of jquery and packaging older versions too if any reverse deps need them. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#744374: node-connect: methodOverride middleware reflected cross-site scripting
Package: node-connect Severity: serious Tags: security fixed-upstream The Node Security Project discovered an XSS vulnerability in the node connect module, please fix this bug by upgrading node-connect. Vulnerable: <=2.8.0 Patched: >=2.8.1 Report: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting Upstream bug report: https://github.com/senchalabs/connect/issues/831 First fix: https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135 Second fix: https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#741586: RFP: libjs-jquery-bbq -- Back Button & Query Library
Package: wnpp Severity: wishlist X-Debbugs-CC: drup...@packages.debian.org, ganglia-webfront...@packages.debian.org, jquery-alternative-...@packages.debian.org, pkg-javascript-devel@lists.alioth.debian.org Packages in CC are embedding a copy of jquery.ba-bbq.js. It would be great if the maintainers could collaborate on this package and make their packages depend on it instead of both embedding copies: https://wiki.debian.org/EmbeddedCodeCopies * Package name: libjs-jquery-bbq Version : 1.2.1 Upstream Author : Ben Alman * URL : http://benalman.com/projects/jquery-bbq-plugin/ * License : GPL + MIT Programming Lang: JavaScript, CSS Description : Back Button & Query Library -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#741581: RFP: libjs-jquery-filetree -- a customized, fully-interactive file tree for the web
Package: wnpp Severity: wishlist X-Debbugs-CC: controla...@packages.debian.org, dolib...@packages.debian.org, pkg-javascript-devel@lists.alioth.debian.org Packages in CC are both embedding a copy of jqueryFileTree.js. It would be great if the maintainers could collaborate on this package and make their packages depend on it instead of both embedding copies: https://wiki.debian.org/EmbeddedCodeCopies * Package name: libjs-jquery-filetree Version : 1.01 Upstream Author : Cory S.N. LaViska * URL : http://www.abeautifulsite.net/blog/2008/03/jquery-file-tree/ * License : GPL + MIT Programming Lang: JavaScript, CSS Description : customizable, fully-interactive file tree for the web Here is the demo site: http://labs.abeautifulsite.net/archived/jquery-fileTree/demo/ In addition to the original upstream, there is a newer fork here: https://github.com/daverogers/jQueryFileTree -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] [Pkg-fonts-devel] Debian font URLs [was: Re: Debian javascript URLs]
On Thu, 2013-08-22 at 08:51 -0700, T.C. Hollingsworth wrote: > So my reasoning regarding this is similar to Debian's reasoning regarding the > default enablement of daemons. Debian starts all daemons by default because > if > you don't want to run them, you shouldn't install them in the first place. We > enable HTTP access to web assets by default, because if you don't want to use > them, you shouldn't install them in the first place. We only enable daemons by default when the defaults are reasonable or when a debconf prompt enables enough configuration for them to be started by default. Web assets are different, each domain or even each web app in a domain will need them at different paths and need different assets. > There are no cross-origin restrictions on the loading of CSS or JavaScript in > web browser. If someone can load arbitrary JavaScript or CSS from your > server, > they can just as easily load it from a foreign server under their control or > a public CDN. Even if there were, if someone had already got this level of > control over your application it would offer little in the way of protection, > since attackers could just `eval()` their evil code instead of loading it from > a server. I use a browser plugin that fixes this hole in web browser security. I agree that it doesn't offer much protection but I am reminded of ROP: https://en.wikipedia.org/wiki/Return-oriented_programming > Sometimes web apps never know that their needed CSS/JS dependencies are > either. > Who knows what a Rails app is going to need? AFAIK, Rails apps declare their deps in the Gemfile. > We'd also like to enable new use cases. Someone might want to create a little > Debian cloud image for running a blog, as a nice free software alternative to > using hosted services. They might want to include a bunch of themes and fonts > so users can customize it just as easily as they can with the hosted service, > without requiring a bunch of hand-editing configuration files. This makes > such a > thing possible. Sounds like a nice use-case, but with or without enabling the themes/fonts this would require hand-editing config files wouldn't it? > Right now the cool thing to do is copy-and-paste some HTML from a CDN like > Google's site. Then all your requests are tracked, you're at the mercy of > a third-party provider, and if they go rouge they can really mess with your > site. Or they just `wget` the file and it sits un-updated for eternity. Agreed both of these are bad. > The only way we can compete with this is to make it dead simple for developers > to use. If the instructions for use involve a lot of hand-editing > configuration > files and differing instructions for every web server under the sun, people > are > just going to keep using CDNs or local copies of these files. That would be cool. > But, if we could have a simple page like [1] or [2], that says "just run > `apt-get install libjs-jquery` and add this script tag to your page", then > maybe, just maybe we can improve the web a little bit. How would we know what to put in the script tag? There is no way for an automated system to know which URL is appropriate for that. > Previously this was done with either Flash or by using images (which is > horrible > for accessibility and generally user-hostile). Web fonts are a massive > improvement in this area. I agree that Flash/images are horrible but I don't agree that the benefit was worth the cost. I would prefer for people to make interesting content rather than pretty text, the latter is something for users to choose rather than designers to impose. -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] [Pkg-fonts-devel] Debian font URLs [was: Re: Debian javascript URLs]
Whenever this idea has come up (including the current /javascript implementation) I have always thought it was a bad idea, especially for JavaScript. Exposing more than absolutely needed for each website at minimum is an information leakage. With JS or CSS it might lead to security issues in the web apps on the same domain. Instead, the scripts used for setting up vhosts should reference the needed CSS/JS/etc dependencies using the web server or framework configuration. In addition, you can never know which URLs a specific web app, vhost or instance of a web app will use at runtime, so unilaterally taking over a generic path like /javascript, /assets, /_assets or /_sysassets is a recipe for annoying our users (social contract says no). I also think web fonts (and other recent browser attack-surface bloat) are an insane idea for security. They also lead to sites doing stupid things like putting icons into the PUA of web fonts. They are yet another reason why I'm wishing I could leave the web. -- bye, pabs http://wiki.debian.org/PaulWise ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
