Control: severity -1 normal On 2021-08-13 14:34:04 +0000, Bastien Roucariès wrote: > Package: firefox > Version: 57.0.0 > Severity: serious > Tags: upstream > Justification: Policy 4.13 > Forwarded: https://bugzilla.mozilla.org/show_bug.cgi?id=1420286 > X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org > Control: tags -1 + security > > Hi, > > By default firefox does not allow symlink in system extension. > > It is really bad from the point of view of the javascript team, from a point > of > view of maintenability and security... > > Chrome allow symlink BTW. > > Maintainer do a copy of each javascript file instead at build time (they do > not > use trigger....) > > I found this bug during a lintian audit of embdeded javascript pacakge. This > is > not documented and I do know if security team is aware of this. > > Firefox upstream recommand to use packaged and signed extension. It is worse > from the point of view of the javascript team because it will need binNMU of > arch all file, that is not implemented. > > Therefore, could we recover the old system of working symlink ? We have now > salsa to test regression and it could be safe.
While the lack of arch: all binNMUs is annoying, it can be worked around. Also, looking at the current set of xul-ext-* extensions, none of them seem to suffer from any of the above issues. So I don't see a reason for this bug to have serious severity. Cheers -- Sebastian Ramacher
