Re: Security concerns with minified javascript code
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Aug 25, 2015 at 11:13:15PM +0200, Vincent Bernat wrote:
> ❦ 25 août 2015 17:58 GMT, Bas Wijnen <wijnen@debian.org> :
>
> > I don't see why javascript minification would be different from C compilation
> > in a way that would lead to a different way of handling it.
>
> It has already been said numerous time in the past, for some Javascript
> code, we don't really have the tools in Debian to easily go from the
> source to the minified version. It's possible, but without the
> appropriate tools, it's painful.
In that case, it should be treated like any other thing for which the compiler
is not in Debian: either package the compiler, or put it in contrib. But for
javascript that isn't even needed:
> We need to leave the Javascript ecosystem mature a bit more but in the
> meantime, a bit of tolerance would be appreciated
The minifier is a compiler. If it's not in main, files that are compiled with
it cannot be in main. For javascript, the easy solution is to not use the
compiler. Non-minified code works fine.
If you really want minified code, then you need to go for the hard solution,
just like in any other language: package the compiler and run it during build.
Thanks,
Bas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJV3O40AAoJEJzRfVgHwHE6snwP/RjBujWfFHEVhf9JNCAO5vxP
XmQinXIJiZ8DS6i2zst5Pw+eL2Zj80Sa26+7b1mKshJm064H9cr5YxxeZFx389Hm
dPsds8CzFgsxY5H2rsfA0ipC+oUzYpCYnrQwzPjJoC0As14BWMpMfvbNbNHFEMjc
7gS1POcN6N/zSv9xVHVeJjuXyNTwi6CEjvcHr0cXaJ594iZHE85OEyjywnYF3MiM
Vbtl3GkeCyF9QLE6QTTjhytCqtpu7RzU91kr1F1zF9ZMbzCxz5/jto1hhNvuhbD5
U57mEJ/mxXvbFMSXNouWDHhr1TX2Y3CwUijBz4MNpb14+1uptJPWQ/8SEL2SZQKe
g3Of8P4Jq+L+vOlc8B9N8s9GTHvPY4haOmI8PB6VHp75e5RQtZ77TMFekYAsI+Ev
GQulvjT+0+cw/JbBkuQfRkaBuG8MCx76z8aFvAjQt3EeDeiH4c6QDBvSTLROBpZp
qbLEDz5+Ux01AjBoMj6NFzjwdli/+H9RfAvKtb3r081yEf6v4NzntPlzvU8PWW/b
0+FWDDwvKQw0InkKMLQ8QSeyBK7Xk5Rkp4rxaCtzwCKOyHU+sw4jg8lg0K8p0edu
uJ2OVm5Chpqo7mbkfikS/4e0dZh4AYuhwHYCefJ5ORKAQFNJaRE+00zODrYqW0Oe
oD2QZIGbekgWegNtfv5Y
=wczl
-----END PGP SIGNATURE-----
Reply to: