From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 25214 invoked from network); 11 Feb 2023 08:11:10 -0000 Received: from hurricane.the-brannons.com (HELO blvuug.org) (2602:ff06:725:1:20::25) by inbox.vuxu.org with ESMTPUTF8; 11 Feb 2023 08:11:10 -0000 Received: from hurricane (localhost.localdomain [127.0.0.1]) by blvuug.org (OpenSMTPD) with ESMTP id 8733831c for ; Sat, 11 Feb 2023 08:11:05 +0000 (UTC) Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [2a00:1450:4864:20::330]) by hurricane.the-brannons.com (OpenSMTPD) with ESMTPS id c44d914e (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Sat, 11 Feb 2023 08:11:03 +0000 (UTC) Received: by mail-wm1-x330.google.com with SMTP id l37-20020a05600c1d2500b003dfe46a9801so5674487wms.0 for ; Sat, 11 Feb 2023 00:11:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=f8gUVa99dhiIEAYVo6MfQuC09C25HrJuwINb7vCKOJ4=; b=icfvDbny87CH8H6uJ4Jo+GkUqvBDm+/7r6Fl7DTbW9nrHJNs8olqsy7K7pcedgyEq8 0l1bq3OEzrp1iZddMTB+CdgnD8Ak8Zu0b1pbuZMkYYCSnoqySNVcbQzh1KHCysodFROY YB9MKml6BexR9w083ZRST1AYpr8gOXeOMBIhq2M+Ce34Z9yF7FRlSz2jv8hvkO22Z/pS stBy6M1K74mycKkP5w3BV0b9RK48uHVhR0+mHQhQyZBXAvfkVXkypywgHJW+GPieOMD0 UlFjuB+A0X9SUViTLtGlNwYlUNiAq/0w/SKOUp1j9kUNiWpqE5Ei/fxFPAi7a1jGRDFK NBVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=f8gUVa99dhiIEAYVo6MfQuC09C25HrJuwINb7vCKOJ4=; b=e/JXRuKQDOg7OY5YBHy6Bw4Wg/j4QaFXpSZkyjMtK+E8hQa79mpet8aGfeDSaTR+AK 3gf6xbhcpWN8RZduDbDoAGxRBRLMXwXDAhhM+DzSFzuIr4LLjQPy3kwOnqkQvwM0AGGS xhvJXWPNDlXlt3+UfKfH0/GqFIPWOKaLZj/EBYflzZdOd9+aKTiN61CrAFzXUkPhcpTc BZYVcOEudEU0JjZMBzzbnDRLqCBor4lg0xB6G5Hveq5twFOpRc3n5Tt+fDL3yaAn9ys0 lx5zmTFciDLBWwbCHppvp8px/hHQ9Me+vX1Z3MT17Ff8l+ZlAq7NiuNpf7QGUkkwHoaK 7fHQ== X-Gm-Message-State: AO0yUKUgjsxXL27nLPBffouTDr/somEbKy6l4SWpYUor1yXRHe7Da9t6 VbQyvX2+xJ5+Wp/QsXyRRsE= X-Google-Smtp-Source: AK7set9Thc2lIqqQy0eWIkW2fYmLfVxZ10XFKHXTlQ3iNIwCwiZuetgc6wtfrn/OgpE4hpYDlegsYg== X-Received: by 2002:a05:600c:4a8a:b0:3dc:54e9:dfd7 with SMTP id b10-20020a05600c4a8a00b003dc54e9dfd7mr14411540wmp.25.1676103060215; Sat, 11 Feb 2023 00:11:00 -0800 (PST) Received: from pinebook-pro (8.f.6.7.4.5.2.5.4.5.a.b.8.5.e.b.1.4.0.9.2.4.1.1.0.b.8.0.1.0.0.2.ip6.arpa. [2001:8b0:1142:9041:be58:ba54:5254:76f8]) by smtp.gmail.com with ESMTPSA id t7-20020a05600c450700b003dc42d48defsm8783686wmo.6.2023.02.11.00.10.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Feb 2023 00:10:59 -0800 (PST) Date: Sat, 11 Feb 2023 08:10:57 +0000 From: Adam Thompson To: Sebastian Humenda Cc: edbrowse-dev@edbrowse.org Subject: Re: QuickJS and maintenance Message-ID: References: <20230108053303.eklhad@comcast.net> X-BeenThere: edbrowse-dev@edbrowse.org List-Id: Edbrowse Development List MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Thu, Feb 09, 2023 at 10:48:00AM +0100, Sebastian Humenda wrote: > Hi > > Adam Thompson schrieb am 09.02.2023, 8:13 +0000: > >On Wed, Feb 08, 2023 at 05:33:03AM -0500, Karl Dahlke wrote: > >> I don't understand why there would be security concerns with quickjs. It is > >> a language interpreter. It either works or it doesn't. All the security > >> concerns fall on edbrowse, which is already packaged in several distros. > > > >To provide a little more context, whereas adding an additional interpreter > >does create an additional package requiring security support, it is no more > >than any other library as far as its integration with Edbrowse. We're a lot > >less js-centric in terms of our browsing engine than other browsers and > >Quickjs is a lot more of a pure interpreter than more browser-integrated js > >engines, at least that's how it appears. > > Thanks for the context and your clarifications. No problem. As someone who uses Debian on a daily basis I've been wondering how to facilitate a more up-to-date Edbrowse package for a while. > My intent has not been to enforce any decision or to criticise what is being > done. I know that the developer base of Edbrowse is small and I am working in > similar projects to know the maintenance burden of dependencies. This is > exactly why I brought this up: understanding the rationale behind the > decision. However, I still ask for a bit more understanding for the Debian > view, as the Security team needs to know about QuickJS (among more than 38000 > other packages). QA is taken seriously, so my e-mail is just a step in that > process :-). I'll take your arguments to the security team and let's see where > it goes. It might well be that QuickJS is soon in Debian with the arguments > made. Makes sense. Apologies if any of the remarks here came across as a lack of understanding. I've been running Debian in various contexts for about 16 years now and am (at least from a user perspective) aware, and thankful for, the large amount of work that goes into the distribution including on the security front. Obviously consideration needs to be given when adding to that. That being said, to repeat what I said in my previous email, it's probably worth contacting the Quickjs maintainers directly about these concerns as they may be able to provide greater reassurance and assistance than we can. Cheers, Adam.