Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Cc:
Subject: Re: Security concerns with minified javascript code
From: Steve McIntyre <steve@einval.com>
Date: Wed, 26 Aug 2015 13:41:03 +0100
Message-id: <[🔎] E1ZUa0l-0001iH-8X@mail.einval.com>
In-reply-to: <[🔎] 20150826121822.GA18961@enc.com.au>
References: <[🔎] 87wpwk7vgy.fsf@latte.josefsson.org> <[🔎] 20150825140451.GA991@jwilk.net> <[🔎] 87r3mro0zr.fsf@zoro.exoscale.ch> <[🔎] 3286173.kHpSARAV8N@kitterma-e6430> <[🔎] 20150825171712.2038.86835@auryn.jones.dk> <[🔎] 20150825175820.GF16029@spark.dtdns.net> <[🔎] E1ZUM3C-000858-Jd@mail.einval.com> <[🔎] 878u8ymwzc.fsf@zoro.exoscale.ch> <[🔎] 87zj1e5y4w.fsf@latte.josefsson.org> <[🔎] CACZd_tCKWgDr3HtvUnbkgLQ=8y8o59FSM7sP7amEukk+HJti3w@mail.gmail.com> <[🔎] CACZd_tCKWgDr3HtvUnbkgLQ=8y8o59FSM7sP7amEukk+HJti3w@mail.gmail.com>

Craig Small wrote:
>On Wed, Aug 26, 2015 at 12:28:22AM -0700, Vincent Cheng wrote:
>> In that case, perhaps those who are most vocally in favour of
>> enforcing build-time javascript minification would care to work on a
>> debhelper addon to do so (similar to how dh-autoreconf makes dealing
>That to me seems the best way forward.

If the tools are available and packageable, then it shouldn't be too
hard. If they're not, then...

>> reproducibility by themselves. Choosing to whack people on the head
>> with Policy (or equivalent) instead is likely to be more
>> counterproductive than anything else.
>I tend to ignore it and find it annoying noise. You might as well say
>"abandon packaging certain types of webapps in Debian" for all the use
>some of the discussion is.

So you don't consider shipping programs/scripts/binaries of unknown
provenance in Debian to be a problem?

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
 whether they're being malicious or incompetent. Capital letters are forecast."
 Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html

Reply to:

References:
- Security concerns with minified javascript code
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Security concerns with minified javascript code
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Security concerns with minified javascript code
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Steve McIntyre <steve@einval.com>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Cheng <vcheng@debian.org>
- Re: Security concerns with minified javascript code
  - From: Craig Small <csmall@debian.org>

Prev by Date: Re: system upgrade by systemd
Next by Date: Re: system upgrade by systemd
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread