Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Jakub Wilk <jwilk@debian.org>
Date: Tue, 25 Aug 2015 16:04:52 +0200
Message-id: <[🔎] 20150825140451.GA991@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 55DB257A.2070504@debian.org>
References: <[🔎] 87wpwk7vgy.fsf@latte.josefsson.org> <[🔎] 55DB257A.2070504@debian.org>

* Thomas Goirand <zigo@debian.org>, 2015-08-24, 16:08:

I believe the blog post below has relevance to Debian's stance onincluding minified JavaScript in packages:
https://zyan.scripts.mit.edu/blog/backdooring-js/
To me the problem suggests that it is important from a security andaccountability perspective to 1) include the human-readable sourcecode of JavaScript in Debian packages, and 2) to compile thehuman-readable source code into a minified code (if required) duringpackage builds, using a JS-minifier that is included in Debian.
Thoughts?
This is anyway mandatory in Debian,


Do we actually require re-minifying JS code at build time?

--
Jakub Wilk

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Security concerns with minified javascript code
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Gunnar Wolf <gwolf@gwolf.org>

References:
- Security concerns with minified javascript code
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Security concerns with minified javascript code
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Re: git interface to snapshot.debian.org
Next by Date: Re: Security concerns with minified javascript code
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread