Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Russ Allbery <rra@debian.org>
Date: Tue, 01 Sep 2015 18:05:09 -0700
Message-id: <[🔎] 87oahlskai.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20150902004630.GA16895@x> (Josh Triplett's message of "Tue, 1 Sep 2015 17:46:30 -0700")
References: <[🔎] 20150902004630.GA16895@x>

Josh Triplett <josh@joshtriplett.org> writes:

> That said, we absolutely do need to fix this in Debian: it's not OK to
> build packages in main using tools not shipped in Debian, or to ship
> precompiled files.  As a start, it would help if when JavaScript folks
> try to package the packages needed as part of their toolchain, they stop
> getting told that their packages are too small, that they shouldn't be
> packaged at all, or that they should be combined with other packages
> that have different upstream sources and release cycles.

I want to highlight this, because it's an important point that I don't
think had previously been raised in this thread.  There are some
communities that make a practice of releasing very small units of code.  I
understand that our current metadata management and distribution framework
makes this less than ideal for the archive, but I think it would be
worthwhile investing some effort into fixing that instead of pushing
packagers to either not package those components or do a lot more work to
try to create rollup packages that aren't what anyone expects.

Healthy language communities have their own metadata systems and
standardized build systems that allow Debian packaging to be nearly
automated, *provided* that we use the same unit of distribution as
upstream.  If we want to make any headway on the huge Javascript
ecosystem, we can't rely on individuals hand-packaging each one of those
libraries.  We need to be able to use tools to do nearly all the packaging
work automatically and ask humans only to do sanity checking and bug
triage and the other parts of the work that we can't automate.  And that's
way harder if they also have to fight with rebundling upstream releases
into some other format.

I'm not sure how much practical impact this has had, but I know it's come
up a few times, just as it's come up occasionally with Perl modules and
other packages.  If the metadata issues with introducing another ~100
packages in order to model an upstream distribution properly are serious,
that would be a great thing that people in Debian could work on fixing, to
make it much more likely that we can properly package these tools.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Lars Wirzenius <liw@liw.fi>
- Re: Security concerns with minified javascript code
  - From: Samuel Thibault <sthibault@debian.org>

References:
- Re: Security concerns with minified javascript code
  - From: Josh Triplett <josh@joshtriplett.org>

Prev by Date: Re: Security concerns with minified javascript code
Next by Date: Re: Security concerns with minified javascript code
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread