Quoting Jakub Wilk (2015-08-25 16:04:52) > * Thomas Goirand <zigo@debian.org>, 2015-08-24, 16:08: >>>I believe the blog post below has relevance to Debian's stance on >>>including minified JavaScript in packages: >>> >>>https://zyan.scripts.mit.edu/blog/backdooring-js/ >>> >>>To me the problem suggests that it is important from a security and >>>accountability perspective to 1) include the human-readable source >>>code of JavaScript in Debian packages, and 2) to compile the >>>human-readable source code into a minified code (if required) during >>>package builds, using a JS-minifier that is included in Debian. >>>Thoughts? >> >>This is anyway mandatory in Debian, > > Do we actually require re-minifying JS code at build time? I believe we require proof of redistributed code being same as source. Other than minifying during build, I can only imagine proving by a) checksum matching known-good source or b) checksum of throw-away normalization (e.g. minification). I am unaware of any package doing any of a) or b) - but I would not be surprised if some maintainers conciously judge the javascript dance as silly and don't check at all. Thanks, Simon, for pointing to a concrete example of why this isn't silly¹. - Jonas ¹ One can still argue that javascript is silly in general, but then don't redistribute at all! -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature