© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
I reviewed spice-html5 version 0.1.7-1 as checked into Debian unstable.
This should not be considered a full security audit. It's even pretty
sparse by my usual standards.
spice-html5 is a unique package -- its contents mostly don't influence
the machine where it is installed. It's also a huge amount of JavaScript,
which isn't a language that the security team knows well.
The upstream git repository appears moderately active, multiple patch
authors, none of the commits that I inspected looked embarrassing. The
initial git import was five years ago and 40k lines.
spice-html5 doesn't seem like an obvious undue risk but the point remains
that the security team isn't staffed to support web applications. We may
need support from elsewhere in the company to address issues raised here.
I tried linting the codebase with jslint.com. Some of the files came
through with minor-feeling quibbles and some files had faults on every
single line. I hope this says more about my expectations about JavaScript
linters than the code quality.
jslint.com reports
- don't use single-quote strings
- don't use 'this'
- don't declare vars in a loop body
- positively hates enums.js atKeynames.js
.. stopped here when I suspect this isn't the right tool for the job
Security team ACK for promoting spice-html5 to main.
Thanks