Bug#898431: lintian.debian.org should emit source-contains-prebuilt-wasm-binary (backport file?)
On Fri, May 11, 2018 at 5:27 PM, Chris Lamb <lamby@debian.org> wrote:
> retitle 898431 please update version of file(1) on lindsay.debian.org to detect .wasm files
> thanks
>
> Bastien,
>
>> source-contains-prebuilt-wasm-binary source tag is not emitted due to
>> too old file.
>
> To clarify anyone else who had difficult parsing this, "file" here
> refers to file(1)/src:file, not the to the prebuilt .wasm file itself.
>
> Niels, is this one for us or DSA?
>
>> wasm is a crap over a crap of nodejs communauty.
>
> Please try and keep these inflammatory and ultimately non-technical
> comments to a minimum. They can do nothing but demotivate the already-
> overworked Javascript team from trying to fix these issues at their
> core.
I am part of js team. It hurt us twice the last month. sorry for the
inflamatory language
>
>> Why js file even minified an human could with some hard work undestand
>> security implication.
>
> I think what you are trying to say here is that precompiled files are
> more difficult to evaulate and patch for security vulnerabilies. Is
> that correct?
Yes it is. wasm is compiled not precompiled. So you need to use binary
patch. No patch.
It is like patching .o object. and this o object will be injected in
your browser in a sandbox (hopefully)
So better to detect this earlier. I could not found how to detect
source-is-missing because source file could be
any language (like c) source file.
Bastien
>
>
> Regards,
>
> --
> ,''`.
> : :' : Chris Lamb
> `. `'` lamby@debian.org / chris-lamb.co.uk
> `-
Reply to: