From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 30748 invoked from network); 8 Feb 2023 10:33:13 -0000 Received: from hurricane.the-brannons.com (HELO blvuug.org) (2602:ff06:725:1:20::25) by inbox.vuxu.org with ESMTPUTF8; 8 Feb 2023 10:33:13 -0000 Received: from hurricane (localhost.localdomain [127.0.0.1]) by blvuug.org (OpenSMTPD) with ESMTP id 708815a1 for ; Wed, 8 Feb 2023 10:33:11 +0000 (UTC) Received: from resqmta-a1p-077720.sys.comcast.net (resqmta-a1p-077720.sys.comcast.net [2001:558:fd01:2bb4::6]) by hurricane.the-brannons.com (OpenSMTPD) with ESMTPS id 1631289c (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Wed, 8 Feb 2023 10:33:07 +0000 (UTC) Received: from resomta-a1p-077051.sys.comcast.net ([96.103.145.229]) by resqmta-a1p-077720.sys.comcast.net with ESMTP id PhPopYsAuC4pdPhlBpASOE; Wed, 08 Feb 2023 10:33:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1675852385; bh=QQ+zoCVb5bcodwtmUbgxhYfchNNib2aXekHz9X+5MdM=; h=Received:Received:To:From:Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Xfinity-Spam-Result; b=W3lGeUXwFyqMRz1Iq14/v16Z3BigR6qAD7GTAm4i/UZswokyq/KBJ4d/4x13lfHUb w3zKlWt0h1D6vDRvz6Dalltj2qO4mOpCer0GQQ1r54UMRaJJWRNBJ183TE38m9LQzn YjK5rPmPm+LeY2tVNg8Xe7Xpqna1oCpHxGCqpbhDZqm4QH1al7+zwb1Or/EXzl9+Kf MH7Bvftzxsm0BcitNZzGdwyIR8ralos5wyZUq+fhU9Bf0pkrzZsW3TWO4+FILfpaSM jd1eP4pE0D551prjcjAM5Sw8xIVZnX+Cy8u8vM34lUk8fq0xiUAc882IYmpapW4sUQ ovWPIS8d0okTA== Received: from unknown ([IPv6:2601:408:c500:8ff0::27ed]) by resomta-a1p-077051.sys.comcast.net with ESMTPSA id Phl9pye4y5yAHPhlApsuvD; Wed, 08 Feb 2023 10:33:04 +0000 X-Xfinity-VMeta: sc=0.00;st=legit To: edbrowse-dev@edbrowse.org From: Karl Dahlke Reply-To: Karl Dahlke References: User-Agent: edbrowse/3.8.6+ Subject: QuickJS and maintenance Date: Wed, 08 Feb 2023 05:33:03 -0500 Message-ID: <20230108053303.eklhad@comcast.net> X-BeenThere: edbrowse-dev@edbrowse.org List-Id: Edbrowse Development List MIME-Version: 1.0 Content-Type: text/plain; format=flowed; delsp=no Content-Transfer-Encoding: 7bit I don't understand why there would be security concerns with quickjs. It is a language interpreter. It either works or it doesn't. All the security concerns fall on edbrowse, which is already packaged in several distros. There are very likely security issues with edbrowse, but we don't have the staff to track them down. A typical browser has hundreds of programmers supporting it, and it's plugins and such, we have a couple of volunteers. The README file says there are no warranties, if you use edbrowse it's on you. This is typical boiler plate disclaimer. In any case I doubt quickjs would be the problem. > seems that QuickJS is not the most actively maintained project. Well, much more than duktape, which we used before. We had to drop duktape because it doesn't even support the es6 features of js, and emails to their maintainers went unanswered for months. In other words, duktape can't parse most of the js out there at this time. It is feasible to switch to another. The connection to the engine is entirely encapsulated in jseng-quick.c. If we wanted to use v8, example, we would write a jseng-v8.c and change the makefile. That's what we did when switching from duktape to quick. Hope this helps. Karl Dahlke