Re: What can Debian do to provide complex applications to its users?

[Adrian Bunk <bunk@debian.org>]

On Tue, Feb 27, 2018 at 02:14:02PM +0000, Simon McVittie wrote:
>...
> Also, the security team specifically don't provide security
> support for libv8, which apparently extends to node-* packages like
> <https://security-tracker.debian.org/tracker/CVE-2015-8855>, so it's
> hard to see how tolerating embedded code copies of nodejs modules in
> particular would make their security support situation a whole lot worse:
> it's already the case that the upstream and downstream maintainers of
> these modules (or the applications that bundle them, or both) provide
> the only security maintenance they'll get. In practice, this isn't as
> awful as it first appears, because nodejs modules are often very small,
> so an individual nodejs module is relatively unlikely to contain security
> vulnerabilities even if its defect density is high, simply because there
> isn't very much code to be vulnerable.
>...

https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#libv8
"Unfortunately, this means that libv8-3.14, nodejs, and the associated 
 node-* package ecosystem should not currently be used with untrusted 
 content, such as unsanitized data from the Internet."

IMHO any package in Debian stable that uses a node* package on untrusted 
content should get an RC bug and a CVE - it is clearly documented that 
this should not be done.

> Regards,
>     smcv
>...

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed