[mir] seed

Package itself looks fine. But passing to security team for a quick review. Handling javascript seems like something that would need a sign off.

Oh, though it has tests that would ideally be run. I'll look into enabling them while security does its thing.

Filed debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626936 about the test suite. It's a bit non-trivial to enable, so I'll not block the MIR on that.

Oh where is my head today. This will need a symbols file for libseed-gtk3. That is a MIR blocker.

Yikes, javascript hooked to the desktop. :) There's nothing immediately wrong with the code, but I have to wonder about how security boundaries are going to be enforced, if JS from the browser ever touches JS for the desktop. I would prefer to see documentation similar to the "same origin" policies in browsers for how JS will be used in the Desktop before this package goes into main.

I've emailed the libseed mailing list about your questions. I couldn't find much information on seed security online.

Also, it doesn't need a symbols file, since it has strict "dh_makeshlibs -V" usage, and there's no reason to have the delta if we don't need it.

So the only blocker here is the security issues.

current gedit and eog GNOME3 versions are dep-waiting on this to be sorted, is the issue there blocking promotion and can it be sorted later?

Here are the mailing list answers I got:
http://mail.gnome.org/archives/libseed-list/2011-May/msg00001.html
http://mail.gnome.org/archives/libseed-list/2011-May/msg00003.html

Basically, they say that JS here is 'merely' as powerful as Python. That since you can already do anything you want with Python, JS isn't any worse. They say it only uses the JavaScriptCore portion of webkit and doesn't interact with browser-side JS.

i.e. it's just a language binding for gobject.

That sounds like it answers Kees's concern?

Right, it's "just" bindings, but right now browsers don't run Python code. :) I'm fine with this all on principle, but I don't want to see JS crossing from the browser to the desktop without a specific security design. Since there isn't one yet, I'll just make an easy one up: "JavaScript must never be passed from the Browser to the Desktop". We can adjust this when there is something that needs to cross that boundary.

+1

This should probably be something like "remotely-served or Browser-handled JavaScript should never be executed by the Desktop". Regardless, without some more specific examples of bad situations, this statement won't be complete.

thanks, it has been promoted in oneiric

there is a depends on gnome-js-common which was overlooked there which made the binaries fail to install, Jeremy do you think you could write the mir for it?

mir for gnome-js-common filed as bug 785332

gnome-js-common promoted

was demoted again, and currently ftbfs