Re: Security concerns with minified javascript code
On Wed, Aug 26, 2015 at 12:04 AM, Simon Josefsson <simon@josefsson.org> wrote:
> Vincent Bernat <bernat@debian.org> writes:
>
>> ❦ 25 août 2015 22:46 +0100, Steve McIntyre <steve@einval.com> :
>>
>>>>Notably, one of the tool is Grunt and its myriad of plugins. Even if
>>>>Grunt was in Debian, we would also need Gulp, then Broccoli, because in
>>>>Javascript, there is always someone thinking that it should be possible
>>>>to do better. We need to leave the Javascript ecosystem mature a bit
>>>>more but in the meantime, a bit of tolerance would be appreciated for
>>>>the some of us needing to package some javascript bits.
>>>
>>> Why should we be tolerating setups where it's not clear that we can
>>> reproduce what's being shipped?
>>
>> We have done that for years for autoconf stuff.
>
> I believe that has proven many times to be a terrible idea, and it still
> causes frustration and may cause security problems when the generated
> code contains a bug (recall the automake chmod bug?). Many packages now
> use dh --with autoreconf as a result.
>
> I don't think using the autoconf mess in Debian is a good excuse to make
> the same mistake with JavaScript.
In that case, perhaps those who are most vocally in favour of
enforcing build-time javascript minification would care to work on a
debhelper addon to do so (similar to how dh-autoreconf makes dealing
with autoconf messiness easier as well)? After all, the people
spearheading build reproducibility in Debian got where they are today
by actively fixing toolchain issues and providing patches to make
packages build reproducibly, not by engaging in repetitive discussions
on debian-devel or forcing maintainers to deal with build
reproducibility by themselves. Choosing to whack people on the head
with Policy (or equivalent) instead is likely to be more
counterproductive than anything else.
Regards,
Vincent
Reply to: