Re: [Pkg-javascript-devel] Embedded modules more than once
Le 20-09-03 à 10 h 33, Xavier a écrit : >> A second step would be to report all embedded code to the security team >> - see https://wiki.debian.org/EmbeddedCopies > > Partially done > Awesome! >> A third step would be to ask the security team how we might better help >> them handle this¹ issue (because I highly doubt that reporting in the >> current form is enough for the security team to reliably track issues: >> the seem not efficiently machine-readable). > > I'll try to automate some things around this future tool and `npm > audit`. I need also to update lintian to get `nodejs-module` results for > non JS Team packages. > Do you need help on that part? /Nicolas -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Embedded modules more than once
Quoting Xavier (2020-09-03 16:33:10) > Le 03/09/2020 à 16:28, Jonas Smedegaard a écrit : > > Quoting Nicolas Mora (2020-09-03 15:49:32) > >> Hello, > >> > >> Concerning embedded modules, this raises me another question. > >> > >> Le 20-09-03 à 08 h 54, Xavier a écrit : > >> > >>> serialize-javascript: > >>> - node-compression-webpack-plugin (1.9.1) > >>> - node-copy-webpack-plugin (1.4.0) > >>> - node-uglifyjs-webpack-plugin (1.7.0) > >> > >> A CVE was recently published for serialize-javascript [1], to fix the > >> issue, it must be upgraded to 3.1.0. > >> > >> Can it be possible to broadcast this kind of issue to all packages > >> embedding vulnerable modules? > > > > A first step would be to identify all embedded code - thanks a lot to > > Xavier for working on that! > > > > A second step would be to report all embedded code to the security team > > - see https://wiki.debian.org/EmbeddedCopies > > Partially done > > > A third step would be to ask the security team how we might better help > > them handle this¹ issue (because I highly doubt that reporting in the > > current form is enough for the security team to reliably track issues: > > the seem not efficiently machine-readable). > > I'll try to automate some things around this future tool and `npm > audit`. I need also to update lintian to get `nodejs-module` results for > non JS Team packages. Thanks a lot for your work on this! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Embedded modules more than once
Le 03/09/2020 à 16:28, Jonas Smedegaard a écrit : > Quoting Nicolas Mora (2020-09-03 15:49:32) >> Hello, >> >> Concerning embedded modules, this raises me another question. >> >> Le 20-09-03 à 08 h 54, Xavier a écrit : >> >>> serialize-javascript: >>> - node-compression-webpack-plugin (1.9.1) >>> - node-copy-webpack-plugin (1.4.0) >>> - node-uglifyjs-webpack-plugin (1.7.0) >> >> A CVE was recently published for serialize-javascript [1], to fix the >> issue, it must be upgraded to 3.1.0. >> >> Can it be possible to broadcast this kind of issue to all packages >> embedding vulnerable modules? > > A first step would be to identify all embedded code - thanks a lot to > Xavier for working on that! > > A second step would be to report all embedded code to the security team > - see https://wiki.debian.org/EmbeddedCopies Partially done > A third step would be to ask the security team how we might better help > them handle this¹ issue (because I highly doubt that reporting in the > current form is enough for the security team to reliably track issues: > the seem not efficiently machine-readable). I'll try to automate some things around this future tool and `npm audit`. I need also to update lintian to get `nodejs-module` results for non JS Team packages. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Embedded modules more than once
Quoting Nicolas Mora (2020-09-03 15:49:32) > Hello, > > Concerning embedded modules, this raises me another question. > > Le 20-09-03 à 08 h 54, Xavier a écrit : > > > serialize-javascript: > > - node-compression-webpack-plugin (1.9.1) > > - node-copy-webpack-plugin (1.4.0) > > - node-uglifyjs-webpack-plugin (1.7.0) > > A CVE was recently published for serialize-javascript [1], to fix the > issue, it must be upgraded to 3.1.0. > > Can it be possible to broadcast this kind of issue to all packages > embedding vulnerable modules? A first step would be to identify all embedded code - thanks a lot to Xavier for working on that! A second step would be to report all embedded code to the security team - see https://wiki.debian.org/EmbeddedCopies A third step would be to ask the security team how we might better help them handle this¹ issue (because I highly doubt that reporting in the current form is enough for the security team to reliably track issues: the seem not efficiently machine-readable). - Jonas ¹ ...where "this issue" is the fact that some embedded code copies are required. Obviously code copies *not* required should be *dropped* rather than reported, and obviously we should not whine about ftp-masters wrongly forcing us to embed stuff because that's (not true, and) irrelevant for the security team. -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Embedded modules more than once
Quoting Xavier (2020-09-03 16:06:01) > Le 03/09/2020 à 16:02, Jonas Smedegaard a écrit : > > Quoting Xavier (2020-09-03 15:43:24) > >> Le 03/09/2020 à 15:36, Xavier a écrit : > >>> Le 03/09/2020 à 14:59, Andrius Merkys a écrit : > Hi Xavier, > > On 2020-09-03 15:54, Xavier wrote: > > buffer-equal: > > - node-buffer-equal (1.0.0) > > - node-vinyl-fs (1.0.0) > > Does this (and the like) mean that is now packaged as > node-? If so, such embedded modules might be removed. > >>> > >>> Hi, > >>> > >>> You're right buffer-equal should be removed from node-vinyl-fs. Other > >>> example, node-parse-json is bad: it embeds some outdated @babel/* > >>> modules while node-babel7 has been released. > >>> > >>> I built this inventory to detect such cases. > >> > >> Other (good) example: node-lolex embed a slightly outdated > >> @sinonjs/commons to avoid a complex circular dependency with node-sinon. > >> In this case no bug, just a known problem. > > > > "known" to whom? It does not seem known to Debian nor to the JavaScript > > team - i.e. I fail to see any mention of the reason for that code > > embedding in debian/README or debian/TODO. > > > > What did I miss? > > I missed to insert a Debian/README, this is just mentionned in > d/changelog. Let's do that. Thanks. Please also report it for the security team - see https://wiki.debian.org/EmbeddedCopies - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Embedded modules more than once
Quoting Andrius Merkys (2020-09-03 15:54:30) > On 2020-09-03 16:23, Jonas Smedegaard wrote: > > Quoting Andrius Merkys (2020-09-03 14:59:38) > >> On 2020-09-03 15:54, Xavier wrote: > >>> buffer-equal: > >>> - node-buffer-equal (1.0.0) > >>> - node-vinyl-fs (1.0.0) > >> Does this (and the like) mean that is now packaged as > >> node-? If so, such embedded modules might be removed. > > Why only "might"? > > > > I fail to see *any* reason for embedded code to continue exist when > > available non-embedded. Please enlighten me, anyone... > > > > ...or if not, then let us treat such cases as release-critical bugs! > > I could not agree more. However, embedded copies sometimes are several > major releases behind, and their replacement requires extensive > patching. Hence "when available non-embedded" ;-) In my opinion we as a team should consider RC buggy packages that embed code which is available elsewhere in Debian. By that I mean *same* code, not some other version from same upstream _project_ - and I mean available *anywhere* else in Debian - i.e. if some Ruby package ships same code as well then that's an RC bug (which might belong to the Ruby package rather than the JavaScript package). In my opinion we as a team should consider non-RC buggy packages that embed code without clearly documenting it. Would be good to document how exactly we consider it most sensible to clearly document each type of embedding, but until that is refined let's simply require _any_ form of "clearly documenting it". - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Embedded modules more than once
Hello, Concerning embedded modules, this raises me another question. Le 20-09-03 à 08 h 54, Xavier a écrit : > serialize-javascript: > - node-compression-webpack-plugin (1.9.1) > - node-copy-webpack-plugin (1.4.0) > - node-uglifyjs-webpack-plugin (1.7.0) A CVE was recently published for serialize-javascript [1], to fix the issue, it must be upgraded to 3.1.0. Can it be possible to broadcast this kind of issue to all packages embedding vulnerable modules? /Nicolas [1] - https://github.com/advisories/GHSA-hxcc-f52p-wc94 -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Embedded modules more than once
Le 03/09/2020 à 16:02, Jonas Smedegaard a écrit : > Quoting Xavier (2020-09-03 15:43:24) >> Le 03/09/2020 à 15:36, Xavier a écrit : >>> Le 03/09/2020 à 14:59, Andrius Merkys a écrit : Hi Xavier, On 2020-09-03 15:54, Xavier wrote: > buffer-equal: > - node-buffer-equal (1.0.0) > - node-vinyl-fs (1.0.0) Does this (and the like) mean that is now packaged as node-? If so, such embedded modules might be removed. >>> >>> Hi, >>> >>> You're right buffer-equal should be removed from node-vinyl-fs. Other >>> example, node-parse-json is bad: it embeds some outdated @babel/* >>> modules while node-babel7 has been released. >>> >>> I built this inventory to detect such cases. >> >> Other (good) example: node-lolex embed a slightly outdated >> @sinonjs/commons to avoid a complex circular dependency with node-sinon. >> In this case no bug, just a known problem. > > "known" to whom? It does not seem known to Debian nor to the JavaScript > team - i.e. I fail to see any mention of the reason for that code > embedding in debian/README or debian/TODO. > > What did I miss? I missed to insert a Debian/README, this is just mentionned in d/changelog. Let's do that. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Embedded modules more than once
Quoting Xavier (2020-09-03 15:43:24) > Le 03/09/2020 à 15:36, Xavier a écrit : > > Le 03/09/2020 à 14:59, Andrius Merkys a écrit : > >> Hi Xavier, > >> > >> On 2020-09-03 15:54, Xavier wrote: > >>> buffer-equal: > >>> - node-buffer-equal (1.0.0) > >>> - node-vinyl-fs (1.0.0) > >> > >> Does this (and the like) mean that is now packaged as > >> node-? If so, such embedded modules might be removed. > > > > Hi, > > > > You're right buffer-equal should be removed from node-vinyl-fs. Other > > example, node-parse-json is bad: it embeds some outdated @babel/* > > modules while node-babel7 has been released. > > > > I built this inventory to detect such cases. > > Other (good) example: node-lolex embed a slightly outdated > @sinonjs/commons to avoid a complex circular dependency with node-sinon. > In this case no bug, just a known problem. "known" to whom? It does not seem known to Debian nor to the JavaScript team - i.e. I fail to see any mention of the reason for that code embedding in debian/README or debian/TODO. What did I miss? - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Embedded modules more than once
On 2020-09-03 16:23, Jonas Smedegaard wrote: > Quoting Andrius Merkys (2020-09-03 14:59:38) >> On 2020-09-03 15:54, Xavier wrote: >>> buffer-equal: >>> - node-buffer-equal (1.0.0) >>> - node-vinyl-fs (1.0.0) >> Does this (and the like) mean that is now packaged as >> node-? If so, such embedded modules might be removed. > Why only "might"? > > I fail to see *any* reason for embedded code to continue exist when > available non-embedded. Please enlighten me, anyone... > > ...or if not, then let us treat such cases as release-critical bugs! I could not agree more. However, embedded copies sometimes are several major releases behind, and their replacement requires extensive patching. Andrius -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Embedded modules more than once
Le 03/09/2020 à 15:36, Xavier a écrit : > Le 03/09/2020 à 14:59, Andrius Merkys a écrit : >> Hi Xavier, >> >> On 2020-09-03 15:54, Xavier wrote: >>> buffer-equal: >>> - node-buffer-equal (1.0.0) >>> - node-vinyl-fs (1.0.0) >> >> Does this (and the like) mean that is now packaged as >> node-? If so, such embedded modules might be removed. > > Hi, > > You're right buffer-equal should be removed from node-vinyl-fs. Other > example, node-parse-json is bad: it embeds some outdated @babel/* > modules while node-babel7 has been released. > > I built this inventory to detect such cases. Other (good) example: node-lolex embed a slightly outdated @sinonjs/commons to avoid a complex circular dependency with node-sinon. In this case no bug, just a known problem. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Embedded modules more than once
Quoting Andrius Merkys (2020-09-03 14:59:38) > On 2020-09-03 15:54, Xavier wrote: > > buffer-equal: > > - node-buffer-equal (1.0.0) > > - node-vinyl-fs (1.0.0) > > Does this (and the like) mean that is now packaged as > node-? If so, such embedded modules might be removed. Why only "might"? I fail to see *any* reason for embedded code to continue exist when available non-embedded. Please enlighten me, anyone... ...or if not, then let us treat such cases as release-critical bugs! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Embedded modules more than once
Hi Xavier, On 2020-09-03 15:54, Xavier wrote: > buffer-equal: > - node-buffer-equal (1.0.0) > - node-vinyl-fs (1.0.0) Does this (and the like) mean that is now packaged as node-? If so, such embedded modules might be removed. Best, Andrius -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel