Web lists-archives.com

Re: Browserified copy and DFSG

(drop pkg-javascript-devel)

On Sun, Sep 9, 2018 at 12:52 AM Sean Whitton <spwhitton@xxxxxxxxxxxxxx> wrote:
> Hello,
> On Sat 08 Sep 2018 at 10:02AM +0800, Paul Wise wrote:
> > On Fri, Sep 7, 2018 at 7:22 PM, Bastien ROUCARIES wrote:
> >
> >> Ok adding cc @security
> >>
> >> How will you handle security problem in static
> >> (browserified/webpacked) javascript library ?
> >
> > Same goes for the other languages that do static linking. It would be
> > great to have this wiki page updated with some realistic strategies:
> >
> > https://wiki.debian.org/StaticLinking
> >
> > IIRC the security team recently flagged Go packages as being
> > problematic for security support in the Debian buster release. I guess
> > the same will apply to Rust now that Firefox switched to it?
> Hmm, Go looks to be using Built-Using in a way that is not
> Policy-compliant.

I just sent this Go team few days ago,


What I see as a replacement is using X-Go-Built-Using, like the Rust
team(which uses X-Cargo-Built-Using).

But this needs release-team (and maybe security team) to confirm as
mentioned by stapelberg

For the security concern about Go in buster, more background is at

The main issue seems that we can't simply schedule binNMU on security-master.
Whatever field is using to record the library statically embedded, the
script to filter the outdated binary is simple.

Shengjing Zhu <zhsj@xxxxxxxxxx>
GPG Key: 0xCF0E265B7DFBB2F2
Homepage: https://zhsj.me