Re: Security concerns with minified javascript code
Hello list,
On 26.08.2015 15:56, Philip Hands wrote:
> Vincent Bernat <bernat@debian.org> writes:
>
>> [...]
>> 3. ship a pre-compiled/minified version of the library with sources.
>>
>> I know this sucks, but if I have to pick my poison, I'll pick the last
>> one. I have tried the second solution in the past, nobody wins (more
>> work for the maintainer, more bugs, unhappy users).
>
> [...]
> How are we supposed to check that the source and the minified version
> are actually equivalent? How are we supposed to provide security
> support for this stuff?
>
> If we were to decide that distributing this was OK (something that I'm
> not currently persuaded of) then I'd suggest that the packages need to
> go into contrib.
+1.
At a time, Debian has set high standards for the software in the 'main' section. If as the project we agree that we
cannot uphold those standards anymore, we should either:
a) move such software out from 'main' (to 'contrib' or whatever else applicable);
or
b) openly and officially relax our standards, stating that an ability to build modified software is not a requirement
anymore.
Otherwise we are hiding the problems and deceiving ourselves.
--
Eugene V. Lyubimkin aka JackYF
C++ GNU/Linux userspace developer, Debian Developer
Reply to: