Web lists-archives.com

Re: Browserified copy and DFSG




(drop pkg-javascript-devel)

On Sun, Sep 9, 2018 at 12:52 AM Sean Whitton <spwhitton@xxxxxxxxxxxxxx> wrote:
>
> Hello,
>
> On Sat 08 Sep 2018 at 10:02AM +0800, Paul Wise wrote:
>
> > On Fri, Sep 7, 2018 at 7:22 PM, Bastien ROUCARIES wrote:
> >
> >> Ok adding cc @security
> >>
> >> How will you handle security problem in static
> >> (browserified/webpacked) javascript library ?
> >
> > Same goes for the other languages that do static linking. It would be
> > great to have this wiki page updated with some realistic strategies:
> >
> > https://wiki.debian.org/StaticLinking
> >
> > IIRC the security team recently flagged Go packages as being
> > problematic for security support in the Debian buster release. I guess
> > the same will apply to Rust now that Firefox switched to it?
>
> Hmm, Go looks to be using Built-Using in a way that is not
> Policy-compliant.
>

I just sent this Go team few days ago,

https://lists.debian.org/debian-go/2018/09/msg00010.html

What I see as a replacement is using X-Go-Built-Using, like the Rust
team(which uses X-Cargo-Built-Using).

But this needs release-team (and maybe security team) to confirm as
mentioned by stapelberg


For the security concern about Go in buster, more background is at
https://alioth-lists.debian.net/pipermail/pkg-go-maintainers/Week-of-Mon-20180903/023312.html

The main issue seems that we can't simply schedule binNMU on security-master.
Whatever field is using to record the library statically embedded, the
script to filter the outdated binary is simple.


-- 
Shengjing Zhu <zhsj@xxxxxxxxxx>
GPG Key: 0xCF0E265B7DFBB2F2
Homepage: https://zhsj.me