From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 29382 invoked from network); 9 Feb 2023 08:13:17 -0000 Received: from hurricane.the-brannons.com (HELO blvuug.org) (2602:ff06:725:1:20::25) by inbox.vuxu.org with ESMTPUTF8; 9 Feb 2023 08:13:17 -0000 Received: from hurricane (localhost.localdomain [127.0.0.1]) by blvuug.org (OpenSMTPD) with ESMTP id b3b4d7b4 for ; Thu, 9 Feb 2023 08:13:12 +0000 (UTC) Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [2a00:1450:4864:20::434]) by hurricane.the-brannons.com (OpenSMTPD) with ESMTPS id 64d87513 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Thu, 9 Feb 2023 08:13:09 +0000 (UTC) Received: by mail-wr1-x434.google.com with SMTP id d14so897674wrr.9 for ; Thu, 09 Feb 2023 00:13:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=kMPXzU5LxykKnGCtsyxsxh890fg+q5Ohlj8gptGr0gM=; b=ghWpIWv61urd1/IOgQHXExnZSNwPcx/YI4BorIXKGx/7PcsYw5Mb+u+1uJxofweY4S oxrwaAiprbnIxGf7x7OOPb1hgBzztnJMoex46bCa7r95pn8nxDjf27L+We5h+EBL4fVJ jfrt07KswNz2dWGGw7Pipz9LLLaCTNmMcKSm09aTC/HUAyJyG3jZjf2X5+/3auFLmjj9 fFCZaqqRQVY/qinBFip0pYl7LD7V+Mmc2pReG01KDExT3ETlNMPijY4LcAGA9+uE7Sax F0O3K5SGdYXdxbM/dPH6iAIG0whL/egWjFDCG8SJlqgNRDdN7F6T5LPhrw2Sdv0w1ogP RwHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kMPXzU5LxykKnGCtsyxsxh890fg+q5Ohlj8gptGr0gM=; b=LFZ02WTkag30dxHD1qXt1CxsVZSAanG7aN7hDK6B3YvmH96SSIKdJruc4L5G1TuuBg LrIraQNycm9+DB8IeRnQFCKFsLNN7ge5n018kufG4lPhljUYfahmQcuSJaQBs8ZqbVj/ kBO9OJKM6FcpRNUWp30aQJlmBGeARTbR23tHwd4XTevh7ej2Y5dtFB1JV7R2JLbh4e0y M+N93h+fg/eaubaDfNUc0aLh0MfsLqodTQY9ZXzSmrM7dohuJdFNEF+n6roHTxVPGCZu 3802lGLT1VoH/CcWgf5p/ImdprfxeA9UI+Hpl7uFM/eXd3sXHlhOJjBhBypaUxX/1OT/ Wc6g== X-Gm-Message-State: AO0yUKVAUEcbzFpleNP7DB5fSqEPDa2MGreWenLg9r20jLhc7MKzaq9L mkXFyZjnaCThaMvi7rXMJSM= X-Google-Smtp-Source: AK7set8s8uHG0oWILzL9w8LWiKursA1fg34nHu3NQuHhJFqDw4Pmpcr7w2o1AmVnuY5BEbTKtAMM0A== X-Received: by 2002:a5d:5225:0:b0:2c4:503:7af3 with SMTP id i5-20020a5d5225000000b002c405037af3mr4787257wra.68.1675930387193; Thu, 09 Feb 2023 00:13:07 -0800 (PST) Received: from pinebook-pro (8.f.6.7.4.5.2.5.4.5.a.b.8.5.e.b.1.4.0.9.2.4.1.1.0.b.8.0.1.0.0.2.ip6.arpa. [2001:8b0:1142:9041:be58:ba54:5254:76f8]) by smtp.gmail.com with ESMTPSA id q3-20020a1ce903000000b003dfdeb57027sm4164245wmc.38.2023.02.09.00.13.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Feb 2023 00:13:06 -0800 (PST) Date: Thu, 9 Feb 2023 08:13:04 +0000 From: Adam Thompson To: Karl Dahlke Cc: edbrowse-dev@edbrowse.org Subject: Re: QuickJS and maintenance Message-ID: References: <20230108053303.eklhad@comcast.net> X-BeenThere: edbrowse-dev@edbrowse.org List-Id: Edbrowse Development List MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230108053303.eklhad@comcast.net> On Wed, Feb 08, 2023 at 05:33:03AM -0500, Karl Dahlke wrote: > I don't understand why there would be security concerns with quickjs. It is > a language interpreter. It either works or it doesn't. All the security > concerns fall on edbrowse, which is already packaged in several distros. To provide a little more context, whereas adding an additional interpreter does create an additional package requiring security support, it is no more than any other library as far as its integration with Edbrowse. We're a lot less js-centric in terms of our browsing engine than other browsers and Quickjs is a lot more of a pure interpreter than more browser-integrated js engines, at least that's how it appears. > There are very likely security issues with edbrowse, but we don't have the > staff to track them down. A typical browser has hundreds of programmers > supporting it, and it's plugins and such, we have a couple of volunteers. > The README file says there are no warranties, if you use edbrowse it's on > you. This is typical boiler plate disclaimer. In any case I doubt quickjs > would be the problem. As Karl says, the development of Edbrowse is carried out by an extremely small team. That being said, I think it'd actually be nice to have some more interest in the project from security researchers (and yes I'm aware I'm probably signing the project up to more work). > > seems that QuickJS is not the most actively maintained project. > > Well, much more than duktape, which we used before. We had to drop duktape > because it doesn't even support the es6 features of js, and emails to their > maintainers went unanswered for months. In other words, duktape can't parse > most of the js out there at this time. > > It is feasible to switch to another. > The connection to the engine is entirely encapsulated in jseng-quick.c. > If we wanted to use v8, example, we would write a jseng-v8.c > and change the makefile. > That's what we did when switching from duktape to quick. And from smjs to duktape. That decision was driven by the fact that smjs is far too integrated with the Firefox ecosystem rather than being developed as an embeddable library. The same used to also be true of v8 which appeared to make various assumptions about how it was being plugged in and was a complete pain to build. This may have changed now (a quick internet search shows it's got its own website and is talked about as a discrete library) but we'd have to be somewhat careful when considering the maintainability of plugging in another js engine even though the code aspects are certainly technically viable. I also wonder if it's worth contacting the Quickjs maintainers if you have concerns about security and ongoing maintenance? Cheers, Adam.