Le 27/11/2018 à 15:22, Xavier a écrit : > Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit : >> Quoting Xavier (2018-11-27 14:00:42) >>> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit : >>>> Hi Xavier and Paolo, >>>> >>>> Please allow me to highlight this security-related detail: >>>> >>>> Quoting Xavier (2018-11-26 16:29:32) >>>>> Embedding components without following them may be a lack of security. >>>>> I think we should have a policy for embedding: >>>>> - components without major risks => not used in version >>>>> - components that must be followed => declared as "group" in >>>>> debian/watch >>>>> - components that must be followed and used in many other packages >>>>> => packaged separately >>>> >>>> Quoting Paolo Greppi (2018-11-27 10:52:37) >>>>> With yesterday's news about the event-stream node module being pwned: >>>>> https://github.com/dominictarr/event-stream/issues/116 >>>>> the importance of these matters should be clear to anyone. >>>>> Probably there is no component "without major risks", and even if it >>>>> existed, it would be unfair to lay upon the busy maintainer the task >>>>> of deciding if it is risky or not. >>>> >>>> Thanks to _both_ of you (and others in the thread) for all your work >>>> tackling these issues. >>>> >>>> My point here is *not* to point fingers, but to emphasize an important >>>> aspect of our task as (re)distributors of code: Ensure code integrity >>>> towards our users. >>>> >>>> >>>> - Jonas >>> >>> Thanks, so I propose this policy update - please review this: >>> - components used only during build => not used in version >>> (except if they inject some code) >>> - if upstream version isn't locked on dependencies (see Jérémy remark) >>> [or if upstream isn't serious?]: >>> * very little component => not used in version >>> * components that must be followed and maybe used in many other >>> packages => packaged separately >>> * other components => declared as "group" in debian/watch >> >> Sorry, I don't understand: Why not track code used during build? >> >> Seems you propose to systematically ignore potential upstream bugfixes. >> >> >> - Jonas > > I was thinking to modules used to generate documentation, to test,... So > even if there is a security issue in them, risk doesn't exist in > published binary
This can avoid having a too long version string. We talked about version summarization earlier, but it had many cons -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
