Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Bas Wijnen <wijnen@debian.org>
Date: Tue, 25 Aug 2015 22:37:41 +0000
Message-id: <[🔎] 20150825223741.GH16029@spark.dtdns.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87y4gzm5qs.fsf@zoro.exoscale.ch>
References: <[🔎] 87wpwk7vgy.fsf@latte.josefsson.org> <[🔎] 20150825140451.GA991@jwilk.net> <[🔎] 87r3mro0zr.fsf@zoro.exoscale.ch> <[🔎] 3286173.kHpSARAV8N@kitterma-e6430> <[🔎] 20150825171712.2038.86835@auryn.jones.dk> <[🔎] 20150825175820.GF16029@spark.dtdns.net> <[🔎] 87y4gzm5qs.fsf@zoro.exoscale.ch>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Aug 25, 2015 at 11:13:15PM +0200, Vincent Bernat wrote:
>  ❦ 25 août 2015 17:58 GMT, Bas Wijnen <wijnen@debian.org> :
> 
> > I don't see why javascript minification would be different from C compilation
> > in a way that would lead to a different way of handling it.
> 
> It has already been said numerous time in the past, for some Javascript
> code, we don't really have the tools in Debian to easily go from the
> source to the minified version. It's possible, but without the
> appropriate tools, it's painful.

In that case, it should be treated like any other thing for which the compiler
is not in Debian: either package the compiler, or put it in contrib.  But for
javascript that isn't even needed:

> We need to leave the Javascript ecosystem mature a bit more but in the
> meantime, a bit of tolerance would be appreciated

The minifier is a compiler.  If it's not in main, files that are compiled with
it cannot be in main.  For javascript, the easy solution is to not use the
compiler.  Non-minified code works fine.

If you really want minified code, then you need to go for the hard solution,
just like in any other language: package the compiler and run it during build.

Thanks,
Bas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJV3O40AAoJEJzRfVgHwHE6snwP/RjBujWfFHEVhf9JNCAO5vxP
XmQinXIJiZ8DS6i2zst5Pw+eL2Zj80Sa26+7b1mKshJm064H9cr5YxxeZFx389Hm
dPsds8CzFgsxY5H2rsfA0ipC+oUzYpCYnrQwzPjJoC0As14BWMpMfvbNbNHFEMjc
7gS1POcN6N/zSv9xVHVeJjuXyNTwi6CEjvcHr0cXaJ594iZHE85OEyjywnYF3MiM
Vbtl3GkeCyF9QLE6QTTjhytCqtpu7RzU91kr1F1zF9ZMbzCxz5/jto1hhNvuhbD5
U57mEJ/mxXvbFMSXNouWDHhr1TX2Y3CwUijBz4MNpb14+1uptJPWQ/8SEL2SZQKe
g3Of8P4Jq+L+vOlc8B9N8s9GTHvPY4haOmI8PB6VHp75e5RQtZ77TMFekYAsI+Ev
GQulvjT+0+cw/JbBkuQfRkaBuG8MCx76z8aFvAjQt3EeDeiH4c6QDBvSTLROBpZp
qbLEDz5+Ux01AjBoMj6NFzjwdli/+H9RfAvKtb3r081yEf6v4NzntPlzvU8PWW/b
0+FWDDwvKQw0InkKMLQ8QSeyBK7Xk5Rkp4rxaCtzwCKOyHU+sw4jg8lg0K8p0edu
uJ2OVm5Chpqo7mbkfikS/4e0dZh4AYuhwHYCefJ5ORKAQFNJaRE+00zODrYqW0Oe
oD2QZIGbekgWegNtfv5Y
=wczl
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>

References:
- Security concerns with minified javascript code
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Security concerns with minified javascript code
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Security concerns with minified javascript code
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>

Prev by Date: Re: system upgrade by systemd
Next by Date: Re: system upgrade by systemd
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread