edbrowse-dev - development list for edbrowse
 help / color / mirror / Atom feed
From: Adam Thompson <arthompson1990@gmail.com>
To: Sebastian Humenda <shumenda@gmx.de>
Cc: edbrowse-dev@edbrowse.org
Subject: Re: QuickJS and maintenance
Date: Sat, 11 Feb 2023 08:10:57 +0000	[thread overview]
Message-ID: <Y+dNkcA27r71/O53@pinebook-pro> (raw)
In-Reply-To: <Y+TBUN0pEpeUt0iS@kraftkrust>

On Thu, Feb 09, 2023 at 10:48:00AM +0100, Sebastian Humenda wrote:
> Hi
> 
> Adam Thompson schrieb am 09.02.2023,  8:13 +0000:
> >On Wed, Feb 08, 2023 at 05:33:03AM -0500, Karl Dahlke wrote:
> >> I don't understand why there would be security concerns with quickjs. It is
> >> a language interpreter. It either works or it doesn't. All the security
> >> concerns fall on edbrowse, which is already packaged in several distros.
> >
> >To provide a little more context, whereas adding an additional interpreter
> >does create an additional package requiring security support, it is no more
> >than any other library as far as its integration with Edbrowse. We're a lot
> >less js-centric in terms of our browsing engine than other browsers and
> >Quickjs is a lot more of a pure interpreter than more browser-integrated js
> >engines, at least that's how it appears.
> 
> Thanks for the context and your clarifications.

No problem. As someone who uses Debian on a daily basis I've been wondering
how to facilitate a more up-to-date Edbrowse package for a while.

> My intent has not been to enforce any decision or to criticise what is being
> done. I know that the developer base of Edbrowse is small and I am working in
> similar projects to know the maintenance burden of dependencies. This is
> exactly why I brought this up: understanding the rationale behind the
> decision. However, I still ask for a bit more understanding for the Debian
> view, as the Security team needs to know about QuickJS (among more than 38000
> other packages). QA is taken seriously, so my e-mail is just a step in that
> process :-). I'll take your arguments to the security team and let's see where
> it goes. It might well be that QuickJS is soon in Debian with the arguments
> made.

Makes sense. Apologies if any of the remarks here came across as a lack of
understanding. I've been running Debian in various contexts for about 16
years now and am (at least from a user perspective) aware, and thankful for,
the large amount of work that goes into the distribution including on the
security front. Obviously consideration needs to be given when adding to
that.

That being said, to repeat what I said in my previous email, it's probably
worth contacting the Quickjs maintainers directly about these concerns as
they may be able to provide greater reassurance and assistance than we can.

Cheers,
Adam.


  reply	other threads:[~2023-02-11  8:11 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-08  9:32 Sebastian Humenda
2023-02-08 10:33 ` Karl Dahlke
2023-02-09  8:13   ` Adam Thompson
2023-02-09  9:48     ` Sebastian Humenda
2023-02-11  8:10       ` Adam Thompson [this message]
2023-02-11  9:56         ` Sebastian Humenda
2023-02-11 10:32           ` Karl Dahlke
2023-02-12  7:39             ` Sebastian Humenda
2023-02-12 18:54               ` Adam Thompson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y+dNkcA27r71/O53@pinebook-pro \
    --to=arthompson1990@gmail.com \
    --cc=edbrowse-dev@edbrowse.org \
    --cc=shumenda@gmx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).