Re: Security concerns with minified javascript code
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, Aug 26, 2015 at 07:35:01AM +0200, Vincent Bernat wrote:
> ❦ 25 août 2015 22:37 GMT, Bas Wijnen <wijnen@debian.org> :
>
> >> We need to leave the Javascript ecosystem mature a bit more but in the
> >> meantime, a bit of tolerance would be appreciated
> >
> > The minifier is a compiler. If it's not in main, files that are compiled with
> > it cannot be in main. For javascript, the easy solution is to not use the
> > compiler. Non-minified code works fine.
>
> Non-minified code is decomposed in several dozen files. Using them is as
> painful as trying to concat them and minifying them properly.
What does "minify properly" mean? Using cat as a replacement for minifying
sounds attractive to me; what else is needed?
> There are a lot of solutions. All of them will make the package a bit more
> buggy than the previous ones. At the end, we will just get angry users and
> angry upstream.
On the other hand, shipping packages that cannot be rebuilt with tools from
Debian will also result in angry users. For me personally, one of the bigger
reasons I use Debian is that we take good care that I can modify everything on
my system, and use the modified version. The users you're talking about
probably don't care (much) about this, and should have contrib and non-free
enabled.
Why should code that doesn't meet our standards (compiler in main) be allowed
in main? What is the downside of putting it in contrib? "Users who don't have
contrib enabled can't use it then" is a feature, not a bug.
As to "people who care about having only free software in main should fix
things for us": that's not how it works. Debian's rules say that this sort of
thing is not allowed. You can't say that people who care about those rules
must fix other people's packages. (You suggested that using --with autoreconf
was similar, but it wasn't; most work on that front was making sure autoreconf
could actually run and produced good output, and that work was done by the
maintainers, not by dh_autoreconf.)
> The main effect of this religious and overzealous application of our
> guidelines is that people just stay away of JS stuff in Debian and
> packaging any web-related app is becoming more complex as anyone needs
> to deal with JS stuff in its own package.
Yes, that is a danger. I think putting those things in contrib should be a
good solution if rebuilding is such a big problem. Because if it is, the code
really really doesn't belong in main.
Thanks,
Bas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJV34l6AAoJEJzRfVgHwHE6uG0QAKHAOxR4GcstYPProuE7xfgT
ZlKCvg3755hMcgHGay4gdybSSGIFKhCfw+gD2CSmEZFwDjGYYoQQdGGBfx3yTcsp
cBIJIQOdcL6dNvYH8R8BeCzbVbT1JKNZD/OdDPQb3+oSPyJ+gcndGO2aEvzwEHFA
znwFqRyR6nNAfp/xkLpXKLjbICtvk79sKfiP03vLlbbMMkXU2JKOSZE3yyj7nLpN
CVRaVxAbSpYwzW2odEheeL9azRjLx+JC95Et4Ef76xr8tfKaeNdQk/krTTaEmDH/
8fCbXXkSc6WPHtYUxjn8O2T1EKhnI74F73ZLZhqUO4FxECcBrPfcA0Sm62RulXma
A4ZpXEdMXHXubIpqsQGFwPdNvSehGVz0B6YSibMNqLpXJflCqKXyZexnUUA62XEP
FK52qyOyyLd2dKLZcsc6ATXWAeveVaPaZjX94rlGsJ/NtGZMvi75eazjEp5Qz+4U
AdtlQvpweBsD94MWu99yvC+GTIIfC0v2OW6j7BLPs4PbRzbIhpZtSfk7+2c2oPdu
7YuMMF01vD1RuSviO+vM9JbcxMY+qAJKza+bdQjeSl8bG0o60SUIHpTv2ZSVpqrJ
CmH+xB8Z5KceibrM0AFYZsHhSq/CQgMj3Ca7whYEqH5tHj9tip8pjhZHaR+OFAD5
aRhkuFILHhbFJdJ4lvBA
=XAHu
-----END PGP SIGNATURE-----
Reply to: