Bug#778348: release-notes: document security status for libv8/nodejs in jessie

To: Michael Gilbert <mgilbert@debian.org>, 778348@bugs.debian.org, sbeck@mailbox.org
Cc: pkg-javascript-devel@lists.debian.org
Subject: Bug#778348: release-notes: document security status for libv8/nodejs in jessie
From: Niels Thykier <niels@thykier.net>
Date: Mon, 16 Feb 2015 09:11:33 +0100
Message-id: <[🔎] 54E1A635.4050409@thykier.net>
Reply-to: Niels Thykier <niels@thykier.net>, 778348@bugs.debian.org
In-reply-to: <[🔎] CANTw=MPaxArxO+sWn9-9jMTGvN9y8JUmsxkGP=ab8yH9dHzm-A@mail.gmail.com>
References: <[🔎] CANTw=MPaxArxO+sWn9-9jMTGvN9y8JUmsxkGP=ab8yH9dHzm-A@mail.gmail.com>

Control: tags -1 pending

On 2015-02-13 22:35, Michael Gilbert wrote:
> package: release-notes
> severity: important
> tags: security
> x-debbugs-cc: pkg-javascript-devel@lists.debian.org
> 
> Information was added about this problem to the libv8 package [0], but
> it would be useful to state something in the release notes also.
> Please see draft attached.
> 
> Best wishes,
> Mike
> 
> [0] http://bugs.debian.org/775715
> 

Hi,

I have attached Michael's patch (with Stephan's typo fixes) and included
a few minor changes on top of this.  The result is attached as
0001-en-issues-Document-lack-of-security-support-for-Node.patch.

Review/remarks welcome.

Thanks,
~Niels

>From b4a2d1c275bf871705d53b4861c1dd26f568f2c8 Mon Sep 17 00:00:00 2001
From: nthykier <nthykier@313b444b-1b9f-4f58-a734-7bb04f332e8d>
Date: Mon, 16 Feb 2015 08:07:01 +0000
Subject: [PATCH 1/2] en/issues: Document lack of security support for Node.js

Includes typo fixes, mark-up changes and minor word changes from
Stephan Beck <sbeck@mailbox.org> and nthykier.

Closes: #778348
Written-by: Michael Gilbert <mgilbert@debian.org>
Signed-off-by: Niels Thykier <niels@thykier.net>

git-svn-id: svn+ssh://svn.debian.org/svn/ddp/manuals/trunk/release-notes@10634 313b444b-1b9f-4f58-a734-7bb04f332e8d
---
 en/issues.dbk | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/en/issues.dbk b/en/issues.dbk
index 51a144f..8b232f5 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -45,6 +45,28 @@ role="package">debian-security-support</systemitem>, introduced in
 packages.</para>
 </section>
 
+<section id="libv8">
+<title>Lack of security support for the ecosystem around libv8 and Node.js</title>
+<para>
+   The Node.js platform is built on top of libv8, which receives a
+   high volume of security issues but there are currently no
+   volunteers within the project or the security team sufficiently
+   interested and willing to spend the large amount of time required
+   to stem those incoming issues.
+</para>
+<para>
+   Unfortunately, this means that <systemitem
+   role="package">libv8</systemitem>, <systemitem
+   role="package">nodejs</systemitem>, and the associated node-*
+   package ecosystem should not currently be used with untrusted
+   content, for example unsanitized data from the internet.
+</para>
+<para>
+   In addition, these packages will not receive any security updates
+   during the lifetime of the jessie release.
+</para>
+</section>
+
 <section id="openssh">
   <title>OpenSSH server defaults to "PermitRootLogin without-password"</title>
   <!-- Wheezy to Jessie -->
-- 
2.1.4

Reply to:

Follow-Ups:
- Bug#778348: release-notes: document security status for libv8/nodejs in jessie
  - From: Niels Thykier <niels@thykier.net>

References:
- Bug#778348: release-notes: document security status for libv8/nodejs in jessie
  - From: Michael Gilbert <mgilbert@debian.org>

Prev by Date: Bug#778348: [release-notes] fixed some typos in release-notes-libv8.patch
Next by Date: Processed: Re: Bug#778348: release-notes: document security status for libv8/nodejs in jessie
Previous by thread: Bug#778348: release-notes: document security status for libv8/nodejs in jessie
Next by thread: Bug#778348: release-notes: document security status for libv8/nodejs in jessie
Index(es):
- Date
- Thread