Hi

Adam Thompson schrieb am 09.02.2023,  8:13 +0000:
>On Wed, Feb 08, 2023 at 05:33:03AM -0500, Karl Dahlke wrote:
>> I don't understand why there would be security concerns with quickjs. It is
>> a language interpreter. It either works or it doesn't. All the security
>> concerns fall on edbrowse, which is already packaged in several distros.
>
>To provide a little more context, whereas adding an additional interpreter
>does create an additional package requiring security support, it is no more
>than any other library as far as its integration with Edbrowse. We're a lot
>less js-centric in terms of our browsing engine than other browsers and
>Quickjs is a lot more of a pure interpreter than more browser-integrated js
>engines, at least that's how it appears.

Thanks for the context and your clarifications.

My intent has not been to enforce any decision or to criticise what is being
done. I know that the developer base of Edbrowse is small and I am working in
similar projects to know the maintenance burden of dependencies. This is
exactly why I brought this up: understanding the rationale behind the
decision. However, I still ask for a bit more understanding for the Debian
view, as the Security team needs to know about QuickJS (among more than 38000
other packages). QA is taken seriously, so my e-mail is just a step in that
process :-). I'll take your arguments to the security team and let's see where
it goes. It might well be that QuickJS is soon in Debian with the arguments
made.

Thanks
Sebastian