Re: Security concerns with minified javascript code

To: Simon Josefsson <simon@josefsson.org>, debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Thomas Goirand <zigo@debian.org>
Date: Mon, 24 Aug 2015 16:08:58 +0200
Message-id: <[🔎] 55DB257A.2070504@debian.org>
In-reply-to: <[🔎] 87wpwk7vgy.fsf@latte.josefsson.org>
References: <[🔎] 87wpwk7vgy.fsf@latte.josefsson.org>

On 08/24/2015 01:54 PM, Simon Josefsson wrote:
> I believe the blog post below has relevance to Debian's stance on
> including minified JavaScript in packages:
> 
> https://zyan.scripts.mit.edu/blog/backdooring-js/
> 
> To me the problem suggests that it is important from a security and
> accountability perspective to 1) include the human-readable source code
> of JavaScript in Debian packages, and 2) to compile the human-readable
> source code into a minified code (if required) during package builds,
> using a JS-minifier that is included in Debian.
> 
> Thoughts?

This is anyway mandatory in Debian, so if you find a package who's not
doing this, please file an RC bug.

Thomas

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Jakub Wilk <jwilk@debian.org>

References:
- Security concerns with minified javascript code
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Security concerns with minified javascript code
Next by Date: Re: Raising the severity of reproduciblity issues to "important"
Previous by thread: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread