On Tuesday, August 25, 2015 05:12:56 PM Vincent Bernat wrote: > ❦ 25 août 2015 16:04 +0200, Jakub Wilk <jwilk@debian.org> : > >>> I believe the blog post below has relevance to Debian's stance on > >>> > >>> including minified JavaScript in packages: > >>>https://zyan.scripts.mit.edu/blog/backdooring-js/ > >>> > >>> To me the problem suggests that it is important from a security and > >>> accountability perspective to 1) include the human-readable source > >>> code of JavaScript in Debian packages, and 2) to compile the > >>> human-readable source code into a minified code (if required) > >>> during package builds, using a JS-minifier that is included in > >>> Debian. > >>> > >>>Thoughts? > >> > >>This is anyway mandatory in Debian, > >> > > Do we actually require re-minifying JS code at build time? > > No, we don't require to rebuild everything from source. It should just > be possible to do it with what is in main. The last occurrence that I > can find of this discussion is here: > https://lists.debian.org/debian-devel/2014/11/msg00929.html The question posed there was, I think, already pretty clearly answered: https://lists.debian.org/debian-devel-announce/2014/04/msg00014.html AFAIK we've only ever discussed the need to provide source. I don't know why there would be a requirement to reminify. Scott K
Attachment:
signature.asc
Description: This is a digitally signed message part.