On 09/01/2013 02:25 PM, Jose Luis Rivas wrote: > Sorry Daniel, won't do this. > > Can't see a real reason besides paranoia. Specially seeing a report from > your power usage.
i'm sorry to hear you feel this way. I'm not asking due to paranoia --
as i mentioned in the original bug report, there are at least three
cases that could cause people to want to do this: concerns about google,
concerns about cleartext code injection by someone who controls the
network (e.g. in a public wifi zone), and concerns about machines that
have no internet connection at all. You may think that the first two
categories are "paranoia" (though others with different network habits
or adversary models than you may disagree), but the last category is a
basic operation requirement for some users. Why not make it friendly
for them?
> Not only that, I don't like how people believes JavaScript libraries are
> maintained as other languages libraries. Right now in unstable is 1.7.2
> which isthe compatible with current powertop, but as soon as gets
> updated with 1.10.x it will break. That will create more bugs, and I
> wont create bugs for paranoia which will lead to nothing.
If API version compatibility is a problem, and libjquery-js is breaking
compatibility in ways that it needs to avoid, please submit a bug report
asking for library-style packaging of core javascript libraries (e.g.
libjs-jquery-1.7, if 1.7 is where the stable API is maintained). If a
given version of jquery API is required for viewing the output, we
should be explicit about that.
> You can't access to local fs via JavaScript on the browser, and the
> exploit can be done in the same domain. You will read it from file:///
> so nothing will happen.
I may be misunderstanding what you're saying here, but it sounds to me
like you're suggesting that there is no way for an attacker who can
inject arbitrary javascript into a page loaded via a file:/// URL can do
any harm. Even if this is true in the abstract (i'm not convinced it
is, given that there are a number of possible attacks other than reading
from the local filesystem), and if all browsers implemented their
javascript stacks with the appropriate sandboxing, this wouldn't resolve
the problem for machines without full internet access.
Anyway, it is of course your call on what to do; but i think it's a
shame that (a) all of the code involved is free software, already in
debian, yet (b) we're relying on cleartext third-party transmissions for
this functionality.
Thanks for maintaining powertop in debian!
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
