[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Aug 25, 2015 at 07:08:06PM +0100, Ian Jackson wrote:
> Bas Wijnen writes ("Re: Security concerns with minified javascript code"):
> > AFAIK Debian doesn't *require* generated files to be rebuilt.  For
> > example, it used to be common practice for a long time to copy
> > config.{guess,sub} from autotools-dev instead of regenerating them
> > with autoreconf (I think there is consensus now that regenerating is
> > better, but it still isn't a policy requirement).
> 
> config.{guess,sub} aren't modified by autotools, are they ?  Just
> copied.  I think you probably want to be thinking about configure.

They are just copied, but there are some more things happening when running
autoreconf (or running auto* manually) and IME autoreconf may not always work.
If it doesn't, the user cannot modify Makefile.am and have those changes work
their way into the compiled program.

(What it really means is that while Makefile.am is the source for Makefile, the
compilation process to turn one into the other is sometimes nontrivial; running
autoreconf during package build documents that process in debian/rules, or else
the package build will fail.)

> So I think that while you are right in the general case that
> we should regenerate everything from source, I think that autotools
> output might reasonably get an exception.  There might be other
> possible exceptions.

Yes, I agree that there are exceptions.  My point is not that it is a hard rule
(it isn't, and I think that is a good thing).  It may be broken, but you need a
reason.  I see no reason to break it for javascript code.

> The key point is that we want to be confident that we can modify what
> are supposedly the input files, regenerate the output files, and get a
> working package.

Exactly.  And the easiest way to be confident about it is to rebuild things, so
that is what you do unless you have a reason not to.

> In practice, given the widely adopted poor practice surrounding
> webapps in general and minified javascript in particular, I think that
> the only way we can be confident enough that we have useable source
> code is to actually use what we think is the source code.

Agreed.

Thanks,
Bas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJV3LNXAAoJEJzRfVgHwHE6FhoP/A0FckLDm+1NwhNhN/0AMypa
OKATAwHEqND5BLyvAAI5Kqi3qJ5c1GrLbNUD5/Ccsd40yMdOtAOLbpwur7MeGvzh
JoHGBXm0Q6Q0jHm5c67YySlS5/Gp4P58GUqLt8DF2NN1olx0AMWtZUzP052/Tn2i
9JVMhhZTgPproA0EhjawsqGsVHvleqNw4xNzh/fCfTbUKnT5Zt52DsabDJjEEvFK
bTNGOPd6Qd3PAf1yhvb17vqGeWMNpZP8opOxv89eUuQiCi1LfHciSV5fyFBXD/XG
VavTyjzXInMi/CuhamFDdrxLeyIW1qfqJCgt4G43uc+Dm8t8ICTkvdZTuekbjf96
hNYcZ6jaZ59GkQJI26p61Ffe6MCsnw5C9lOSUbXLEule6zeuRJazVKvjRocZWJtm
quRiXdI+DwHKsLSebjqGffmAWVaIrugubPNDBFvR8T9vXyL4WhsDsMm0gyz1iQ03
UE8nKfzOwFTmCM2OCY/kQXoGiIcd3jLUPuJQE3zO8h3YgKgLWdXuqJDxGsrDiOFR
idB561jLPpN0VBsUdVQaLmT5mj89AZPCedZQTgIQiELlxOMA/WnfYAs/5HeZ9Tap
IQ3JKnn0ZVys0WX9PZ/kHrU+aC4/mLyknFE9nBr7XnvOD/nYiQsvTMYG2CP69upt
LCQhv2chCCrU8yb5FVLp
=m7m8
-----END PGP SIGNATURE-----
Reply to: