[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposed mass prototypejs bug filing for multiple security issues

Michael S Gilbert dijo [Sun, Oct 18, 2009 at 08:43:35PM -0400]:
> Hi,
> The prototypejs script has been found to be vulnerable to a couple
> security issues [0],[1].  This script is embedded in about 32 other
> packages and I would like to file bugs against all of those that are
> affected. Since this would probably be considered a mass filing, I am
> running it past -devel first.
> (…)

Just for the record, I agree with your mass filing (which is not
massive anyway). 

However, I'd also suggest your bugs (and as a matter of general
policy) should invite said maintainers to depend on libjs-prototype
and symlink it instead of shipping the package's own versions, except
if there is a _real_ need to do so (i.e. upstream-modified versions of
prototype or dependance on specific API versions). 

As those packages are currently shipping, they are basically worse off
than if they were statically linking a library: It leads to code
duplication and cases such as this, where it becomes a serious and
hard to fix security liability which not only must be hand-corrected,
but must be hand-spotted.

Gunnar Wolf • gwolf@gwolf.org • (+52-55)5623-0154 / 1451-2244

Attachment: signature.asc
Description: Digital signature

Reply to: