Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Gunnar Wolf <gwolf@gwolf.org>
Date: Tue, 25 Aug 2015 12:55:23 -0500
Message-id: <[🔎] 20150825175523.GC45050@gwolf.org>
In-reply-to: <[🔎] 20150825140451.GA991@jwilk.net>
References: <[🔎] 87wpwk7vgy.fsf@latte.josefsson.org> <[🔎] 55DB257A.2070504@debian.org> <[🔎] 20150825140451.GA991@jwilk.net>

Jakub Wilk dijo [Tue, Aug 25, 2015 at 04:04:52PM +0200]:
> >>To me the problem suggests that it is important from a security and
> >>accountability perspective to 1) include the human-readable source code
> >>of JavaScript in Debian packages, and 2) to compile the human-readable
> >>source code into a minified code (if required) during package builds,
> >>using a JS-minifier that is included in Debian.
> >>Thoughts?
> >
> >This is anyway mandatory in Debian,
> 
> Do we actually require re-minifying JS code at build time?

If your upstream does not ship the pre-minified JS code, you must
include it in the packaging (i.e. via debian/missing-sources/ )

You can choose whether to re-minify or not; I do re-minify for the
same reason upstream does (usually, reduced bandwidth or a lower
amount of requests due to combining several source files
together). You should only ship upstream's non-minified code if you
can reliably produce identical code to it.

Reply to:

References:
- Security concerns with minified javascript code
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Security concerns with minified javascript code
  - From: Thomas Goirand <zigo@debian.org>
- Re: Security concerns with minified javascript code
  - From: Jakub Wilk <jwilk@debian.org>

Prev by Date: Re: Security concerns with minified javascript code
Next by Date: Re: Security concerns with minified javascript code
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread