Re: Dealing with embedded javascript libraries

To: Pau Garcia i Quiles <pgquiles@elpauer.org>
Cc: Ian Jackson <ijackson@chiark.greenend.org.uk>, Michael Gilbert <michael.s.gilbert@gmail.com>, debian-devel@lists.debian.org
Subject: Re: Dealing with embedded javascript libraries
From: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Date: Mon, 31 Oct 2011 22:50:03 -0400
Message-id: <[🔎] 4EAF5E5B.50505@canonical.com>
In-reply-to: <CAKcBokuijJu-o_W1vTMX0AYrUqSZ9cheUcOSLF3TSb3fjWxjWQ@mail.gmail.com>
References: <20111023151317.GA26161@rivendell.home.ouaza.com> <87y5wbvi9s.fsf@mirexpress.internal.placard.fr.eu.org> <87bot7l2hb.fsf@benfinney.id.au> <4EA889CB.4070109@canonical.com> <CANTw=MOZQNeauKuGZDvf1EOWPCmt9DGLarqWrkWm3_3W-WKw9A@mail.gmail.com> <20136.38836.832796.412159@chiark.greenend.org.uk> <CAKcBokuijJu-o_W1vTMX0AYrUqSZ9cheUcOSLF3TSb3fjWxjWQ@mail.gmail.com>

W dniu 31.10.2011 14:49, Pau Garcia i Quiles pisze:

On Thu, Oct 27, 2011 at 1:28 AM, Ian Jackson
<ijackson@chiark.greenend.org.uk>  wrote:

The difficulty is that if we end up with ten different versions of
some random javascript library, when it turns out to have a security
vulnerability we need to somehow backport the patch to each of those
ten versions.

And here "we" means the security team, not the people who uploaded the
ten versions in the first place.

So this is rather unpalatable.


What's the alternative?

It seems that we only have two choices:

- Either all packages use the same version of the JavaScript library
(what we have been doing until now, which results in some packages not
working properly due to changes in the JavaScript library that
manifest only in some situations in runtime). This is essentially what
we do with C, C++, etc libraries, btw: the whole Debian is built
against the same zlib, same glibc, same libpng, etc

or

- Each package works with the upstream-bundled version of the
JavaScript library (and then we have the problem of backporting
security fixes). The advantage being we are sure the application works
as expected because it has been tested by upstream.


I'm not sure what's worse: a malfunctioning application or an insecure one.


Zygmunt's proposal of adding unit testing, etc to upstream is a noble
one but highly unrealistic, IMHO.

For the record. I stated the reverse, what you described above wasproposed by someone else. I on the other hand agree that we should:

1) Ship _bundled_ libraries that upstream provides. The rationale isthat version is what upstream supports. I don't believe in our capacityto support random applications out there better than upstreams already do.

OR

2) Have broad multi-version support (perhaps eventually at dpkg level),package multiple versions of javascript libraries, depend on the preciseversion that upstream used. The motivation for this is similar to myprevious point except that it might be, theoretically, better to supportsecurity fixes. The more direct advantage is easier support forincompatible, co-installable versions of a single library.

I think that security aspect is moot because failing to find a properpackage people will just revert to _not_ using dpkg for their webdeployments and the world will NOT be a single bit more secure.


Best regards
ZK

Reply to:

Next by Date: Re: Announcing derivatives patches and call for help and feedback
Next by thread: Re: Dealing with embedded javascript libraries
Index(es):
- Date
- Thread