[Pkg-mediawiki-devel] Bug#681184: Bug#681184: mediawiki: includes courtesy copies of ECMAscript libs
Platonides
platonides at gmail.com
Thu Jul 26 20:53:27 UTC 2012
On 26/07/12 20:32, Thorsten Glaser wrote:
> Platonides dixit:
>
>> Thorsten, how do you expect to handle it?
>
> Have not investigated it yet. Same as with the other occurrences,
> I guess – cut off the convenience copies of third-party code, patch
> the code to use the system-wide copy, and kick it until it ble^Wworks.
Other than the open_basedir issue I mentioned, I don't expect problems
with that. Replacing with a few symlinks should cleanly solve it.
>> There's of course the risk of something breaking, undetected upstream
>> due to a different jQuery version. But I guess you're aware of that and
>> accepting it.
>
> Yes. There’s of course also the risk that the system-wide copy has got
> security and bugfixes which make using it at all possible. ☺ It’s Policy
> so there’s not even any need to discuss it, even if you don’t like it,
> too.
It's hard for jQuery to produce a security issue. Far more likely that
it gets introduced by wrong usage at MediaWiki/an extension.
I'm pretty sure we would issue a new release if there was a security
vulnerability in a javascript library we were bundling. Just as debian
would update the library package. Not a problem on that front.
My concerns were if debian changed to a jQuery which under certain
circunstances triggered a bug (such as crashing the client browser).
And MediaWiki produced that effect, unknown to us since it was tested
with a different -safe- jQuery version.
That happened in the past with jQuery 1.6.2 [1], and we also had a
similar-looking bug related to jQuery v1.4.2 [2].
Probably not going to happen in wheezy, but it could reappear in
unstable. At upstream, we should keep in mind possible differences of
ecmascript libraries by vendor vs ones shipped with MW when dealing with
bugs reports. We will of course deny any reponsibility of jQuery bugs
packaged by debien if they happenned :)
Let's hope they don't. Clients could use not-broken browsers, of
course, but sadly, as a web developer, you can't count on that :(.
Regards
1- http://bugs.jquery.com/ticket/9823
2- https://bugzilla.wikimedia.org/show_bug.cgi?id=33926
More information about the Pkg-mediawiki-devel
mailing list