Web lists-archives.com

Re: What can Debian do to provide complex applications to its users?




Hi Sean,

On Sat, 17 Feb 2018, Sean Whitton wrote:
I was making a more specific claim -- we don't and will never have the
manpower to provide security support for multiple different versions of
hundreds of little JavaScript libraries.

please have a look at for example CVE-2017-18077 [1] in the security tracker. This CVE affects one little JavaScript library and is marked as <unimportant>. There is also a note attached, saying: "nodejs not covered by security support"

Basically all other CVEs for node-modules are marked as <unimportant> as well. So we do track all Javascript issues, but we don't create DSAs for them and don't include them in point releases (as you can see for example in CVE-2016-1000236 [2][3][4]).

Other javascript libraries like libjs-* and *.js even don't get a CVE. So either they are secure or nobody cares.

From a security manpower point of view, there is no difference whether we
have hundreds of little JavaScript libraries in only one or in multiple versions.

   Thorsten


[1] https://security-tracker.debian.org/tracker/CVE-2017-18077
[2] https://security-tracker.debian.org/tracker/CVE-2016-1000236
[3] https://nodesecurity.io/advisories/134
[4] https://tracker.debian.org/pkg/node-cookie-signature