From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 8404 invoked from network); 9 Feb 2023 09:48:23 -0000 Received: from hurricane.the-brannons.com (HELO blvuug.org) (2602:ff06:725:1:20::25) by inbox.vuxu.org with ESMTPUTF8; 9 Feb 2023 09:48:23 -0000 Received: from hurricane (localhost.localdomain [127.0.0.1]) by blvuug.org (OpenSMTPD) with ESMTP id 5cd23446 for ; Thu, 9 Feb 2023 09:48:21 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by hurricane.the-brannons.com (OpenSMTPD) with ESMTPS id 40f17d59 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Thu, 9 Feb 2023 09:48:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1675936085; bh=um4tvSyxqv1c7kJGMelyVCkiWBwVLi4OFNnf1JHwTdQ=; h=X-UI-Sender-Class:Date:From:To:Subject:References:In-Reply-To; b=dOOcTLOdalnjgq32kCQ09V9w2D/GkW8RgIKUd/Z1Mrpi+24WcLHBsERDIXRW/1h3E nZn+tcrZv72bENDauru07nvR8nSeIcYoaqVMDy0MIf76ro0AwbB1NoYnBaezgI1wJJ wEu3ORANVnv3rAyVjOvL+v2pusZPMDnSnH+4maZjZUYcCVhnJuMwpjqnQVlEeOANv7 JPd36fXVj5MvqKZ7FJJlrvZuQ3K4EZF8409OVZmPCDwyWlVPwduol4wB/HsouDa4mf 4UmxZRzSCK2RnfwVbc26nrTh2RYCFygFi+Sy7tzZXIXgjemisAw9bmYGLV1bQWwc/V ONmpGNaBBFfPA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from kraftkrust ([2.211.6.149]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1N33Ib-1oRfvU0fgT-013Jeo for ; Thu, 09 Feb 2023 10:48:05 +0100 Date: Thu, 9 Feb 2023 10:48:00 +0100 From: Sebastian Humenda To: edbrowse-dev@edbrowse.org Subject: Re: QuickJS and maintenance Message-ID: References: <20230108053303.eklhad@comcast.net> X-BeenThere: edbrowse-dev@edbrowse.org List-Id: Edbrowse Development List MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="o/2FqwObNEdFTYz0" Content-Disposition: inline In-Reply-To: X-Provags-ID: V03:K1:TrFZt+UYr5aCwxueyCYBcJ1KuPJnNWXBXnNh1UjcipzQHs7rDdC gg/TJJ4Iyo8Uq0USBCitEE2sAkn06/qYQ/wR+jrg7Ql36m1G5g87oQrcmF2EcwMKjerHZtc eU8XWFdfMly/05RPBsk9yxcseJd4BSlvH0qH5k1DIIVHyNyhnudA1Q3xkFAcixmf9fJ1wT1 YLIKoS4bG02Bkqg+NmM/g== UI-OutboundReport: notjunk:1;M01:P0:1LAC1vMYsy8=;EiGVB5awRRiRlHiGhfqs7Txzh8J kqV3knaMS4lmhEhg5XI8cw30FLoNLUNZgU1DaSRYBQW33KDtHeumrMpNDMtuG8nfCgQb3t/KN QB70uML/lRDuPNVkhjo+oHE7xv9LjxDddAYBM4x+8JOA9Dca+/iHvJK5mOyjFXhiK6oxhqZeG t9mP0rxlb4I4/sMXV+W5ePpHpwQC+Ex1L3rb8IFgDpIoS16UTN75YEwo0pCDLPG74SJGLI02F Oi8KmaOJro/WNNck/PS+6mkFrTNtlu9bQVg77XzG8/2qnS+fXev51QvUB0jwx9a8+Zq7enbNt lFLSfwjt9texftkNrJP6Szzs6jI5rADohJAWbR2Dm+4Ew54I5lnOdJDtRAhbHVfGkTUu6GhPU jH0y6rMR/RAJzbgU/0fN96ayvAN1OvHSzAM4T71AB0NvAmDjsMeP87RGf05gc+EdMoYOWQBDh QnE6yQEFO1MvH6IhoX2Dot/HpCd6VrmgkWe9GggCX9Im7/EifQIwjPjGN1TCj6KlwHcWes6qO GsXfi1PeAc5gREB3xgjQGdN/rRtoO6NOdsGFg07IyQl9FpITojQ2GgbdwtGjTyprnRwtY0iWM zrJA8Yt9i1DPa9NGgs2ZdFME2BXAKAarZMuj96JitxexwDCDjhZBmCXJUkRRpEkGq5pfT6UKo q7/4yPO645Bt17Jfgk0T8v/TZdPOLj0zBaWF6QQA7szV8lhR3GE1anI9kMS3eKxL7DNlMdGQW cr5T9747zmbnFGJhHFrU7cCzUg1HGwfj13GT3kD9xCBMUriJjUEuBoqDmdbR6Y4xN6bKn29pQ TXhjWukfQ30aAJ8Qil04r3aOKEr8XQ+v+10lD69FZxT1UBXupbmoA0kV0h57/IY1E/vykkhFZ dTNehVVeT5m+JeoLAX5TDQ/Ro0MK5ZCtTnz1gpenuoaV4Xt9S4izbw6NRBhhsjErYwpdWQXQt Gqzppg== --o/2FqwObNEdFTYz0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi Adam Thompson schrieb am 09.02.2023, 8:13 +0000: >On Wed, Feb 08, 2023 at 05:33:03AM -0500, Karl Dahlke wrote: >> I don't understand why there would be security concerns with quickjs. It is >> a language interpreter. It either works or it doesn't. All the security >> concerns fall on edbrowse, which is already packaged in several distros. > >To provide a little more context, whereas adding an additional interpreter >does create an additional package requiring security support, it is no more >than any other library as far as its integration with Edbrowse. We're a lot >less js-centric in terms of our browsing engine than other browsers and >Quickjs is a lot more of a pure interpreter than more browser-integrated js >engines, at least that's how it appears. Thanks for the context and your clarifications. My intent has not been to enforce any decision or to criticise what is being done. I know that the developer base of Edbrowse is small and I am working in similar projects to know the maintenance burden of dependencies. This is exactly why I brought this up: understanding the rationale behind the decision. However, I still ask for a bit more understanding for the Debian view, as the Security team needs to know about QuickJS (among more than 38000 other packages). QA is taken seriously, so my e-mail is just a step in that process :-). I'll take your arguments to the security team and let's see where it goes. It might well be that QuickJS is soon in Debian with the arguments made. Thanks Sebastian --o/2FqwObNEdFTYz0 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEDdK8MMbHMms/+s0k2/EkeQsw7KUFAmPkwU0ACgkQ2/EkeQsw 7KXKuA//QnoLZuN5YhHXM7byjx7evZ+8Q71nMJQ58opnBHncSYeFhNzHOjYLjPed HGv7HOgWf1o7FOrA4jhLXFQy67npkH1MXoUjZg9RlDcw5UmoRp9GlYcSm3t7mTyR cmjcE0oON4YN3SkRGrU+aCHf9tzlv2Ehx8i2TiUDosYQhIacsrvwmfHMTgNARyq9 MPHGcgIPaiiJ/4+P2GjhZTIz5Nn1FytViLQJy9NCNVLqOUtp7CFh3LcGIIUaBaEn XAbvQtBIgsacweURB/yHStyby9IEaEXNj1XNmeuIp+Yq/cROyLoJ/V+9P87lJtWg gBgwU9NeFo9Su/qDW779ZMl6Cm/8v3g5abWZkscrdXeJT5OzsuiBiRGmqYoYZ8TU hdSLvN4a0gKh48EnlG45/DIsjt4xwtwxsKxTj56IDMKdgPrWYAu883PSmV8aBgFv CyAOgXDcpURz5R7KHE2NHqjgbRtoHT6kph9ZX/PC+jwzIlVLTW4XTnJ7d14D67c3 q9DUpV8iLtbQPVal/N0+Osl3s5YMxD1APKamJc9gA655DYp6BnUcknd1qgihH/K9 CRboK1vLaSIMi/eSRDu9x4SdOASFJszqbfzzxoLdLMvLiWCF12ThiEITHv5a8hSz c568i2yczNgtz0iajYuIz9BTk3hhpR8hWdKBFgPt3r/jOoKfg7k= =J0zc -----END PGP SIGNATURE----- --o/2FqwObNEdFTYz0--