Web lists-archives.com

Re: Browserified copy and DFSG


On Sat 08 Sep 2018 at 10:02AM +0800, Paul Wise wrote:

> On Fri, Sep 7, 2018 at 7:22 PM, Bastien ROUCARIES wrote:
>> Ok adding cc @security
>> How will you handle security problem in static
>> (browserified/webpacked) javascript library ?
> Same goes for the other languages that do static linking. It would be
> great to have this wiki page updated with some realistic strategies:
> https://wiki.debian.org/StaticLinking
> IIRC the security team recently flagged Go packages as being
> problematic for security support in the Debian buster release. I guess
> the same will apply to Rust now that Firefox switched to it?

Hmm, Go looks to be using Built-Using in a way that is not

The Haskell team uses virtual package names in the Provides: field,
where these virtual package names contain a hash.  This hash encodes all
the versions of the dependencies that this build of the binary package
used.  The Depends: field of other libraries is populated with these
virtual package names.  For example:

    spwhitton@iris:~>apt show libghc-propellor-dev
    Provides: libghc-propellor-dev-3.2.3-2bad6
    Depends: libghc-ifelse-dev-, libghc-missingh-dev-, libghc-ansi-terminal-dev-, libghc-async-dev-2.1.0-c8d71, libghc-base-dev-, libghc-bytestring-dev-, libghc-containers-dev-, libghc-directory-dev-, libghc-exceptions-dev-0.8.3-5d23e, libghc-filepath-dev-, libghc-hslogger-dev-1.2.10-8c36b, libghc-mtl-dev-2.2.1-3d1c9, libghc-network-dev-, libghc-process-dev-, libghc-stm-dev-, libghc-text-dev-, libghc-time-dev-, libghc-transformers-dev-, libghc-unix-dev-, libghc-unix-compat-dev-, libc6 (>= 2.2.5), libgmp10

From this information it is possible to determine what needs rebuilding,
and we have a script that does that.  I assume this approach could be
extended to (e.g.) Go.

Unfortunately, all this is only for libraries; noticing that a binary
package that installs something into /usr/bin needs rebuilding is
manual.  I think it could be extended, but it all depends on cdbs, so
no-one wants to touch it.

Sean Whitton

Attachment: signature.asc
Description: PGP signature