Re: concerns about Salsa

To: debian-devel@lists.debian.org
Subject: Re: concerns about Salsa
From: Paul Wise <pabs@debian.org>
Date: Tue, 5 Jun 2018 10:05:53 +0800
Message-id: <[🔎] CAKTje6Gav=unrrjZ-YF0c-JGwTVymfFbJ98TJLi6TDNnEYOjxw@mail.gmail.com>
In-reply-to: <[🔎] 3155612.nf7Q4P6B6c@deblab>
References: <[🔎] 3155612.nf7Q4P6B6c@deblab>

On Mon, Jun 4, 2018 at 6:29 PM, Dmitry Smirnov wrote:

> IMHO we should have been working on improving GitLab package in order to make
> is suitable for Salsa if it is not suitable already. What are the blockers?

In my opinion the biggest blocker is that, the node.js ecosystem is
not security supported by Debian because of libv8 not being security
supported. In addition, there is no-one in Debian tracking
vulnerabilities in the node.js ecosystem reported by NodeSecurity and
importing the issues into the Debian security tracker. I used to do
this occasionally to see how many issues we were ignoring but it needs
to be done in a systematic way by people interested in JavaScript
security. The biggest problem with this is that a lot of NodeSecurity
reported issues do not get a CVE, this seems to be improving though.
After that, the ones that did get a CVE were either still reserved
with no info or in 'check' mode and needed to be classed as not-for-us
or applying to a certain Debian package.

https://nodesecurity.io/advisories

I have no idea how that compares with the security support provided by
GitLab upstream though.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

References:
- concerns about Salsa
  - From: Dmitry Smirnov <onlyjob@debian.org>

Prev by Date: Re: Bug#899299: libu2f-udev: Post-inst script should make udev reload rules
Next by Date: Re: concerns about Salsa
Previous by thread: Re: rkt, Golang
Next by thread: Bug#900770: ITP: node-svgpath -- Low level transforms on svg path element
Index(es):
- Date
- Thread