On Mon, Apr 26, 2010 at 01:34:21PM +0200, Cyril Brulebois wrote: > Source: jscoverage > Version: 0.4-1 > Severity: serious > Tags: security > Justification: ECC > > Hi (again), > > it was just noticed that the FTBFS on s390 I reported sounded like an > FTBFS previously dealt with in libmozjs, meaning you're embedding it > instead of just using libmozjs-dev and dropping your embedded code copy. > Given the security records on xulrunner thingies, I'm opening this at > serious severity with security tag… >
It seems fedora spotted the same issue when reviewing jscoverage package: https://bugzilla.redhat.com/show_bug.cgi?id=453264 One of the comment states the following: """ The Mozilla SpiderMonkey js library is intended to be used as a JavaScript interpreter, but JSCoverage uses it for parsing, rather than interpreting, JavaScript. Unfortunately the parsing functions are not "public" and could possibly change any time the library is upgraded. I think the above qualifies as a good reason to allow static linking. """ I was wondering it debian would allow static linking in that case ? -- Johan Euphrosine (proppy) <pro...@aminche.com> Development and services around Free Software http://www.aminche.com/
signature.asc
Description: Digital signature
