[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

Scott Kitterman dijo [Tue, Aug 25, 2015 at 11:57:11AM -0400]:
> > No, we don't require to rebuild everything from source. It should just
> > be possible to do it with what is in main. The last occurrence that I
> > can find of this discussion is here:
> >  https://lists.debian.org/debian-devel/2014/11/msg00929.html
> 
> The question posed there was, I think, already pretty clearly answered:
> 
> https://lists.debian.org/debian-devel-announce/2014/04/msg00014.html
> 
> AFAIK we've only ever discussed the need to provide source.  I don't know why 
> there would be a requirement to reminify.

The main reason IMO is that, unless we can ensure the minified code is
identical to what we are able to produce, we cannot be sure of its
contents. If upstream changes the version of the JS
library-to-be-minified then our provided source will no longer
match. Even worse, if upstream (or an attacker to upstream) were to
modify specific bits of the minified thingy (quite probably, the
pre-minified thingy they'd minify and ship), they will put our users
in compromised situations.

So, we can ensure a bit-identical minification (that is, checking the
hash for each minified JS or whatever other language we ship), or just
minify from a known-good source and distribute our results.

Minification is a very fast process IMO, so I don't see why not to do
it.
Reply to: