[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code



 ❦ 26 août 2015 09:04 +0200, Simon Josefsson <simon@josefsson.org> :

>>>>Notably, one of the tool is Grunt and its myriad of plugins. Even if
>>>>Grunt was in Debian, we would also need Gulp, then Broccoli, because in
>>>>Javascript, there is always someone thinking that it should be possible
>>>>to do better. We need to leave the Javascript ecosystem mature a bit
>>>>more but in the meantime, a bit of tolerance would be appreciated for
>>>>the some of us needing to package some javascript bits.
>>>
>>> Why should we be tolerating setups where it's not clear that we can
>>> reproduce what's being shipped?
>>
>> We have done that for years for autoconf stuff.
>
> I believe that has proven many times to be a terrible idea, and it still
> causes frustration and may cause security problems when the generated
> code contains a bug (recall the automake chmod bug?).  Many packages now
> use dh --with autoreconf as a result.
>
> I don't think using the autoconf mess in Debian is a good excuse to make
> the same mistake with JavaScript.

My point is not that's a good idea. My point is that this has been
tolerated for years while there was an easy workaround solution (running
autoreconf). It's "unfair" to ask packages using JS stuff to be
"perfect" right now while the difficulties are far greater.

I would also like to stress that all this stuff is DFSG-compliant.
-- 
Make sure special cases are truly special.
            - The Elements of Programming Style (Kernighan & Plauger)

Attachment: signature.asc
Description: PGP signature


Reply to: