On Tue, Nov 27, 2018 at 3:45 PM Xavier <y...@debian.org> wrote: > > Le 27/11/2018 à 15:33, Jonas Smedegaard a écrit : > > Quoting Xavier (2018-11-27 15:22:10) > >> Le 27/11/2018 à 15:03, Jonas Smedegaard a écrit : > >>> Quoting Xavier (2018-11-27 14:00:42) > >>>> Le 27/11/2018 à 11:55, Jonas Smedegaard a écrit : > >>>>> Hi Xavier and Paolo, > >>>>> > >>>>> Please allow me to highlight this security-related detail: > >>>>> > >>>>> Quoting Xavier (2018-11-26 16:29:32) > >>>>>> Embedding components without following them may be a lack of security. > >>>>>> I think we should have a policy for embedding: > >>>>>> - components without major risks => not used in version > >>>>>> - components that must be followed => declared as "group" in > >>>>>> debian/watch > >>>>>> - components that must be followed and used in many other packages > >>>>>> => packaged separately > >>>>> > >>>>> Quoting Paolo Greppi (2018-11-27 10:52:37) > >>>>>> With yesterday's news about the event-stream node module being pwned: > >>>>>> https://github.com/dominictarr/event-stream/issues/116 > >>>>>> the importance of these matters should be clear to anyone. > >>>>>> Probably there is no component "without major risks", and even if it > >>>>>> existed, it would be unfair to lay upon the busy maintainer the task > >>>>>> of deciding if it is risky or not. > >>>>> > >>>>> Thanks to _both_ of you (and others in the thread) for all your work > >>>>> tackling these issues. > >>>>> > >>>>> My point here is *not* to point fingers, but to emphasize an important > >>>>> aspect of our task as (re)distributors of code: Ensure code integrity > >>>>> towards our users. > >>>>> > >>>>> > >>>>> - Jonas > >>>> > >>>> Thanks, so I propose this policy update - please review this: > >>>> - components used only during build => not used in version > >>>> (except if they inject some code) > >>>> - if upstream version isn't locked on dependencies (see Jérémy remark) > >>>> [or if upstream isn't serious?]: > >>>> * very little component => not used in version > >>>> * components that must be followed and maybe used in many other > >>>> packages => packaged separately > >>>> * other components => declared as "group" in debian/watch > >>> > >>> Sorry, I don't understand: Why not track code used during build? > >>> > >>> Seems you propose to systematically ignore potential upstream bugfixes. > >>> > >>> > >>> - Jonas > >> > >> I was thinking to modules used to generate documentation, to test,... So > >> even if there is a security issue in them, risk doesn't exist in > >> published binary > > > > I think it is dangerous to try judge systematically and automated with > > no qualitative input what has security implications and what does not! > > > > - Jonas > > You're right but this has some other cons (version string length,...). > Today, components are allowed without any version following. So this > point should also be inserted in Debian policy, shouldn't it ?
Components were created for packaging multiple tar of same project. See cernlib package and cry for instance > > -- > Pkg-javascript-devel mailing list > Pkg-javascript-devel@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
