Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: "Eugene V. Lyubimkin" <jackyf@debian.org>
Date: Wed, 26 Aug 2015 22:14:59 +0300
Message-id: <[🔎] 55DE1033.2060002@debian.org>
In-reply-to: <[🔎] 87wpwius1f.fsf@whist.hands.com>
References: <[🔎] 87wpwk7vgy.fsf@latte.josefsson.org> <[🔎] 20150825140451.GA991@jwilk.net> <[🔎] 87r3mro0zr.fsf@zoro.exoscale.ch> <[🔎] 3286173.kHpSARAV8N@kitterma-e6430> <[🔎] 20150825171712.2038.86835@auryn.jones.dk> <[🔎] 20150825175820.GF16029@spark.dtdns.net> <[🔎] 20150825175820.GF16029@spark.dtdns.net> <[🔎] E1ZUM3C-000858-Jd@mail.einval.com> <[🔎] 878u8ymwzc.fsf@zoro.exoscale.ch> <[🔎] 87zj1euwzj.fsf@whist.hands.com> <[🔎] 87a8tel0eq.fsf@zoro.exoscale.ch> <[🔎] 87wpwius1f.fsf@whist.hands.com>

Hello list,

On 26.08.2015 15:56, Philip Hands wrote:
> Vincent Bernat <bernat@debian.org> writes:
> 
>> [...]
>>  3. ship a pre-compiled/minified version of the library with sources.
>>
>> I know this sucks, but if I have to pick my poison, I'll pick the last
>> one. I have tried the second solution in the past, nobody wins (more
>> work for the maintainer, more bugs, unhappy users).
> 
> [...]
> How are we supposed to check that the source and the minified version
> are actually equivalent?  How are we supposed to provide security
> support for this stuff?
> 
> If we were to decide that distributing this was OK (something that I'm
> not currently persuaded of) then I'd suggest that the packages need to
> go into contrib.

+1.

At a time, Debian has set high standards for the software in the 'main' section. If as the project we agree that we
cannot uphold those standards anymore, we should either:

a) move such software out from 'main' (to 'contrib' or whatever else applicable);

or

b) openly and officially relax our standards, stating that an ability to build modified software is not a requirement
anymore.

Otherwise we are hiding the problems and deceiving ourselves.


-- 
Eugene V. Lyubimkin aka JackYF
C++ GNU/Linux userspace developer, Debian Developer

Reply to:

References:
- Security concerns with minified javascript code
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Security concerns with minified javascript code
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Security concerns with minified javascript code
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Steve McIntyre <steve@einval.com>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Philip Hands <phil@hands.com>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Philip Hands <phil@hands.com>

Prev by Date: Re: Minutes from the "32bit architectures in Debian"-bof
Next by Date: Re: Replacing ldconfig maintscripts with declarative methods
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread