Quoting Scott Kitterman (2015-08-25 17:57:11) > On Tuesday, August 25, 2015 05:12:56 PM Vincent Bernat wrote: >> ❦ 25 août 2015 16:04 +0200, Jakub Wilk <jwilk@debian.org> : >>>>> I believe the blog post below has relevance to Debian's stance on >>>>> >>>>> including minified JavaScript in packages: >>>>>https://zyan.scripts.mit.edu/blog/backdooring-js/ >>>>> >>>>> To me the problem suggests that it is important from a security >>>>> and accountability perspective to 1) include the human-readable >>>>> source code of JavaScript in Debian packages, and 2) to compile >>>>> the human-readable source code into a minified code (if required) >>>>> during package builds, using a JS-minifier that is included in >>>>> Debian. >>>>> >>>>>Thoughts? >>>> >>>>This is anyway mandatory in Debian, >>>> >>> Do we actually require re-minifying JS code at build time? >> >> No, we don't require to rebuild everything from source. It should >> just be possible to do it with what is in main. The last occurrence >> that I can find of this discussion is here: >> https://lists.debian.org/debian-devel/2014/11/msg00929.html > > The question posed there was, I think, already pretty clearly > answered: > > https://lists.debian.org/debian-devel-announce/2014/04/msg00014.html > > AFAIK we've only ever discussed the need to provide source. I don't > know why there would be a requirement to reminify. I agree the question of shipping minified code in _source_ packages is discussed and permitted when its source is included as well. I see no reason to require javascript code shipped in binary packages to be minified. I do see a reason to require that *if* such code is minified then the minification must be done during build, not upstream. ...just to make sure we are discussing same thing here. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature