libmozjs and gnome-shell

Josselin Mouette joss at
Thu Dec 22 22:15:01 UTC 2011

Le jeudi 22 décembre 2011 à 18:26 +0100, Mike Hommey a écrit : 
> > > I've said numerous times that I won't prevent anyone from packaging
> > > libmozjs185. I just won't do it myself. FWIW, the libmozjs185 "upstream"
> > > maintainer was interested in packaging it for debian himself. So anyone
> > > interested should try to contact Wes Garland.

Will do, thanks. I don’t think the best results would be ensured by
packaging it by the GNOME team; we don’t know nothing about this

> > All the Javascript executing in Gnome Shell would be under the control
> > of installed extensions or the user, who wrote local Javascript code, right? 
> > 
> > As such it doesn't face the same challenges as a Javascript engine used in 
> > a web browser, so I don't think a second copy would hurt as we simply 
> > wouldn't provide sec support for it.

Indeed, you wouldn’t necessarily have to in this situation. Anyway, this
JS code has access to anything the installed GIR packages provide, so
that includes the possibility to do anything the user can do without
having to trick the interpreter. The security challenges are not
remotely comparable to those of a sandbox.

> Arguably, the scripts don't come from the user, but from the net.

Unless the user has downloaded and installed a malicious script, their
origin should be guaranteed. And anyway they wouldn’t need a hole in the
interpreter to do malicious things.

 .''`.      Josselin Mouette
: :' :
`. `'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the pkg-mozilla-maintainers mailing list