[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

Jakub Wilk dijo [Tue, Aug 25, 2015 at 04:04:52PM +0200]:
> >>To me the problem suggests that it is important from a security and
> >>accountability perspective to 1) include the human-readable source code
> >>of JavaScript in Debian packages, and 2) to compile the human-readable
> >>source code into a minified code (if required) during package builds,
> >>using a JS-minifier that is included in Debian.
> >>Thoughts?
> >
> >This is anyway mandatory in Debian,
> Do we actually require re-minifying JS code at build time?

If your upstream does not ship the pre-minified JS code, you must
include it in the packaging (i.e. via debian/missing-sources/ )

You can choose whether to re-minify or not; I do re-minify for the
same reason upstream does (usually, reduced bandwidth or a lower
amount of requests due to combining several source files
together). You should only ship upstream's non-minified code if you
can reliably produce identical code to it.

Reply to: