Re: Dealing with embedded javascript libraries
- To: Pau Garcia i Quiles <pgquiles@elpauer.org>
- Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, debian-devel@lists.debian.org
- Subject: Re: Dealing with embedded javascript libraries
- From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Date: Mon, 7 Nov 2011 18:12:42 +0000
- Message-id: <[🔎] 20152.8090.30627.248314@chiark.greenend.org.uk>
- In-reply-to: <CAKcBokuijJu-o_W1vTMX0AYrUqSZ9cheUcOSLF3TSb3fjWxjWQ@mail.gmail.com>
- References: <20111023151317.GA26161@rivendell.home.ouaza.com> <87y5wbvi9s.fsf@mirexpress.internal.placard.fr.eu.org> <87bot7l2hb.fsf@benfinney.id.au> <4EA889CB.4070109@canonical.com> <CANTw=MOZQNeauKuGZDvf1EOWPCmt9DGLarqWrkWm3_3W-WKw9A@mail.gmail.com> <20136.38836.832796.412159@chiark.greenend.org.uk> <CAKcBokuijJu-o_W1vTMX0AYrUqSZ9cheUcOSLF3TSb3fjWxjWQ@mail.gmail.com>
Pau Garcia i Quiles writes ("Re: Dealing with embedded javascript libraries"):
> On Thu, Oct 27, 2011 at 1:28 AM, Ian Jackson
> <ijackson@chiark.greenend.org.uk> wrote:
> > The difficulty is that if we end up with ten different versions of
> > some random javascript library, when it turns out to have a security
> > vulnerability we need to somehow backport the patch to each of those
> > ten versions.
> >
> > And here "we" means the security team, not the people who uploaded the
> > ten versions in the first place.
> >
> > So this is rather unpalatable.
>
> What's the alternative?
>
> It seems that we only have two choices:
>
> - Either all packages use the same version of the JavaScript library
...
> - Each package works with the upstream-bundled version of the
We could do this:
* No JS libraries should be bundled into binary packages; instead,
each package should Depend on an appropriate separate JS library
package.
* JS library packages should be versioned in the name, like C runtime
library packages are, so that multiple versions are coinstallable.
* If the number of different versions of a single JS library becomes
"too large", ftp-master and/or the security team will call a halt
and the uploads and/or testing migrations of some of them will be
blocked.
Ian.
Reply to: