(drop pkg-javascript-devel) On Sun, Sep 9, 2018 at 12:52 AM Sean Whitton <spwhit...@spwhitton.name> wrote: > > Hello, > > On Sat 08 Sep 2018 at 10:02AM +0800, Paul Wise wrote: > > > On Fri, Sep 7, 2018 at 7:22 PM, Bastien ROUCARIES wrote: > > > >> Ok adding cc @security > >> > >> How will you handle security problem in static > >> (browserified/webpacked) javascript library ? > > > > Same goes for the other languages that do static linking. It would be > > great to have this wiki page updated with some realistic strategies: > > > > https://wiki.debian.org/StaticLinking > > > > IIRC the security team recently flagged Go packages as being > > problematic for security support in the Debian buster release. I guess > > the same will apply to Rust now that Firefox switched to it? > > Hmm, Go looks to be using Built-Using in a way that is not > Policy-compliant. >
I just sent this Go team few days ago, https://lists.debian.org/debian-go/2018/09/msg00010.html What I see as a replacement is using X-Go-Built-Using, like the Rust team(which uses X-Cargo-Built-Using). But this needs release-team (and maybe security team) to confirm as mentioned by stapelberg For the security concern about Go in buster, more background is at https://alioth-lists.debian.net/pipermail/pkg-go-maintainers/Week-of-Mon-20180903/023312.html The main issue seems that we can't simply schedule binNMU on security-master. Whatever field is using to record the library statically embedded, the script to filter the outdated binary is simple. -- Shengjing Zhu <z...@debian.org> GPG Key: 0xCF0E265B7DFBB2F2 Homepage: https://zhsj.me
