Re: Browserified copy and DFSG

To: spwhitton@spwhitton.name
Cc: pabs@debian.org, roucaries.bastien@gmail.com, security@debian.org, niels@thykier.net, debian-devel@lists.debian.org, ftpmaster@debian.org
Subject: Re: Browserified copy and DFSG
From: Shengjing Zhu <zhsj@debian.org>
Date: Sun, 9 Sep 2018 01:10:45 +0800
Message-id: <[🔎] CAFyCLW_iJXmZR7MT9stYPVou+TL-xJPPmiBwPtgJsP8=he2uRg@mail.gmail.com>
In-reply-to: <[🔎] 87mussszip.fsf@iris.silentflame.com>
References: <CAE2SPAZeN6urdBBmGLNSv975JCY=3oNGZ2U8LnZRa0_6P_eqbA@mail.gmail.com> <28287e31-8579-0698-a759-666ff7eb7563@thykier.net> <[🔎] CAE2SPAYg2P4EsDha6hUWCR+Hp+J6x7yry0xqBZLywyrP_g488A@mail.gmail.com> <[🔎] 8736ummk8t.fsf@iris.silentflame.com> <[🔎] CAE2SPAYd0tU2q9GxxyTDrDz6O=Q-+CKRufYvdwSYPQ=0ROufxA@mail.gmail.com> <[🔎] CAKTje6Erd-TgKTZ7oQ5S+xQ9LtXYNgwHgRD6Qa--9rrJEd3fSw@mail.gmail.com> <[🔎] 87mussszip.fsf@iris.silentflame.com>

(drop pkg-javascript-devel)

On Sun, Sep 9, 2018 at 12:52 AM Sean Whitton <spwhitton@spwhitton.name> wrote:
>
> Hello,
>
> On Sat 08 Sep 2018 at 10:02AM +0800, Paul Wise wrote:
>
> > On Fri, Sep 7, 2018 at 7:22 PM, Bastien ROUCARIES wrote:
> >
> >> Ok adding cc @security
> >>
> >> How will you handle security problem in static
> >> (browserified/webpacked) javascript library ?
> >
> > Same goes for the other languages that do static linking. It would be
> > great to have this wiki page updated with some realistic strategies:
> >
> > https://wiki.debian.org/StaticLinking
> >
> > IIRC the security team recently flagged Go packages as being
> > problematic for security support in the Debian buster release. I guess
> > the same will apply to Rust now that Firefox switched to it?
>
> Hmm, Go looks to be using Built-Using in a way that is not
> Policy-compliant.
>

I just sent this Go team few days ago,

https://lists.debian.org/debian-go/2018/09/msg00010.html

What I see as a replacement is using X-Go-Built-Using, like the Rust
team(which uses X-Cargo-Built-Using).

But this needs release-team (and maybe security team) to confirm as
mentioned by stapelberg


For the security concern about Go in buster, more background is at
https://alioth-lists.debian.net/pipermail/pkg-go-maintainers/Week-of-Mon-20180903/023312.html

The main issue seems that we can't simply schedule binNMU on security-master.
Whatever field is using to record the library statically embedded, the
script to filter the outdated binary is simple.


-- 
Shengjing Zhu <zhsj@debian.org>
GPG Key: 0xCF0E265B7DFBB2F2
Homepage: https://zhsj.me

Reply to:

References:
- Re: Browserified copy and DFSG
  - From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
- Re: Browserified copy and DFSG
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: Browserified copy and DFSG
  - From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
- Re: Browserified copy and DFSG
  - From: Paul Wise <pabs@debian.org>
- Re: Browserified copy and DFSG
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: Browserified copy and DFSG
Next by Date: Re: New package netgen-lvs with binary /usr/bin/netgen - already taken
Previous by thread: Re: Browserified copy and DFSG
Next by thread: Re: Browserified copy and DFSG
Index(es):
- Date
- Thread