hi,
Le lun. 31 juil. 2023 à 08:27, Kunal Mehta <lego...@debian.org> a écrit :
>
> Hi,
>
> On 7/29/23 16:44, Bastien Roucariès wrote:
> > Dear Maintainer,
> >
> > resources/lib/
> > (https://sources.debian.org/src/mediawiki/1:1.39.4-2/resources/lib/)
> >
> > include a few library already packaged for debian.
> >
> > Moreover some source are missing (I have only checked pako).
>
> These are in the preferred form for modification so I don't think
> there's any issue here, but please correct me if I'm wrong. MediaWiki
> often patches these libraries (e.g. jquery.ui) in this format hence IMO
> meeting the "preferred form of the work for making modifications to it"
> requirement of the GPL.

No https://sources.debian.org/src/mediawiki/1%3A1.39.4-2/resources/lib/pako/
is webpacked in order to be transformed in es5.... No source available
before webpack

>
> > You could use the packaged library under debian
>
> Older versions of the package did that, but the version mismatches were
> not worth it. Plus MediaWiki has a ton of user-written code that's
> stored and loaded on-wiki, so deviations from the official version are
> incredibly hard to test and just cause breakage everywhere.

Pako is stable, I understand for jquery but sinon,,promise stuff and
so on could be packaged.

Moreover in all the case you should document the embed code in security tracker.

And do not stick to lastest jquery is a security problem. Are you sure
you have closed all the CVE ?

with my javascript hat, I believe that working with upstream to
improve the testing (using if needed selenium) will improve the
security of mediawiki by using packaged and up to date js

This bug should be solved package by package:
- first by doing an analysis of stable/not stable api => stable api use packaged
- for non stable and patched version => guarantee that source is here
- for non stable and patched version try to create test case with
upstream using selenium checking integration
- move to packaged

In all the case it decrease the burden from a security point of view

bastien

>
> -- Kunal

Reply via email to