Re: Security concerns with minified javascript code
Vincent Bernat writes ("Re: Security concerns with minified javascript code"):
> My point is not that's a good idea. My point is that this has been
> tolerated for years while there was an easy workaround solution (running
> autoreconf).
It was only tolerated because problems (that is, packages containing
code that cannot be modified and rebuilt) were rare. (Although not
unknown, sadly, it appears.)
> It's "unfair" to ask packages using JS stuff to be
> "perfect" right now while the difficulties are far greater.
I'm sorry to say that the very fact that the difficulties are more
severe is an argument /against/ tolerating un-rebuilt minified js.
If in practice it were almost always easy to edit the unminified
source, and rebuild the minified version, to generate a working
package, then we would probably tolerate the deviation from best
practice implied by not actually regenerating.
> I would also like to stress that all this stuff is DFSG-compliant.
We are arguing about the interpretation of the DFSG, so I'm afraid
that this claim doesn't add anything.
Ian.
Reply to: