Re: Security concerns with minified javascript code
Russ Allbery wrote:
>Neil Williams <codehelp@debian.org> writes:
>
>> Usable software needs usable tools.
>
>The problem is that this *is* usable for nearly all the people who
>currently use it, who just run one command to install it and have all
>those dependencies pulled from a remote repo for them. Because the
>dependency installation process is so easy, they think no more about
>adding new dependencies than we think about installing some application
>with apt that happens to require a bunch of shared libraries.
>
>In other words, the people developing and using this tool don't see this
>as a problem, and therefore don't care about fixing it.
Depressingly, it seems a lot of the same web typists don't have any
problems with doing the equivalent of "curl
http://some.site/install.sh | sudo bash" . That doesn't mean we have
to do the same in Debian. If there's no sensible way to do controlled
web development, let's just drop this from Debian *now*.
We can continue having the discussion about how to make things better
and providing clue to clueless upstreams, but in the meantime this is
a massive security breach just waiting to happen.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
whether they're being malicious or incompetent. Capital letters are forecast."
Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html
Reply to: