Re: Security concerns with minified javascript code

To: Vincent Bernat <bernat@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Wed, 26 Aug 2015 13:01:55 +0100
Message-id: <[🔎] 21981.43699.319204.386044@chiark.greenend.org.uk>
In-reply-to: <[🔎] 87k2sildhi.fsf@zoro.exoscale.ch>
References: <[🔎] 87wpwk7vgy.fsf@latte.josefsson.org> <[🔎] 20150825140451.GA991@jwilk.net> <[🔎] 87r3mro0zr.fsf@zoro.exoscale.ch> <[🔎] 3286173.kHpSARAV8N@kitterma-e6430> <[🔎] 20150825171712.2038.86835@auryn.jones.dk> <[🔎] 20150825175820.GF16029@spark.dtdns.net> <[🔎] E1ZUM3C-000858-Jd@mail.einval.com> <[🔎] 878u8ymwzc.fsf@zoro.exoscale.ch> <[🔎] 87zj1e5y4w.fsf@latte.josefsson.org> <[🔎] 87k2sildhi.fsf@zoro.exoscale.ch>

Vincent Bernat writes ("Re: Security concerns with minified javascript code"):
> My point is not that's a good idea. My point is that this has been
> tolerated for years while there was an easy workaround solution (running
> autoreconf).

It was only tolerated because problems (that is, packages containing
code that cannot be modified and rebuilt) were rare.  (Although not
unknown, sadly, it appears.)

> It's "unfair" to ask packages using JS stuff to be
> "perfect" right now while the difficulties are far greater.

I'm sorry to say that the very fact that the difficulties are more
severe is an argument /against/ tolerating un-rebuilt minified js.

If in practice it were almost always easy to edit the unminified
source, and rebuild the minified version, to generate a working
package, then we would probably tolerate the deviation from best
practice implied by not actually regenerating.

> I would also like to stress that all this stuff is DFSG-compliant.

We are arguing about the interpretation of the DFSG, so I'm afraid
that this claim doesn't add anything.

Ian.

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>

References:
- Security concerns with minified javascript code
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Security concerns with minified javascript code
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Security concerns with minified javascript code
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Steve McIntyre <steve@einval.com>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>

Prev by Date: Re: git interface to snapshot.debian.org
Next by Date: Re: Security concerns with minified javascript code
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread