Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Russ Allbery <rra@debian.org>
Date: Thu, 27 Aug 2015 16:14:53 -0700
Message-id: <[🔎] 878u8wl3wy.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20150827220443.GJ16029@spark.dtdns.net> (Bas Wijnen's message of "Thu, 27 Aug 2015 22:04:43 +0000")
References: <[🔎] 87wpwk7vgy.fsf@latte.josefsson.org> <[🔎] 20150825140451.GA991@jwilk.net> <[🔎] 87r3mro0zr.fsf@zoro.exoscale.ch> <[🔎] 3286173.kHpSARAV8N@kitterma-e6430> <[🔎] 20150825171712.2038.86835@auryn.jones.dk> <[🔎] 20150825175820.GF16029@spark.dtdns.net> <[🔎] 87y4gzm5qs.fsf@zoro.exoscale.ch> <[🔎] 20150825223741.GH16029@spark.dtdns.net> <[🔎] 87d1yamx2y.fsf@zoro.exoscale.ch> <[🔎] 20150827220443.GJ16029@spark.dtdns.net>

Bas Wijnen <wijnen@debian.org> writes:

> On the other hand, shipping packages that cannot be rebuilt with tools
> from Debian will also result in angry users.  For me personally, one of
> the bigger reasons I use Debian is that we take good care that I can
> modify everything on my system, and use the modified version.  The users
> you're talking about probably don't care (much) about this, and should
> have contrib and non-free enabled.

> Why should code that doesn't meet our standards (compiler in main) be
> allowed in main?  What is the downside of putting it in contrib?  "Users
> who don't have contrib enabled can't use it then" is a feature, not a
> bug.

Last time I checked, Doxygen includes minified Javascript in all of its
generated output.  Would we have to move every piece of Doxygen-generated
documentation into a separate package so that we could put it in contrib,
or strip it from our packages?  Maybe someone has fixed this in Doxygen
somehow?

This is typical of the sorts of problems that I would expect.  It would
surprise me if this were a smaller project than the GFDL purging.  It
might be quite a bit larger.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: IOhannes m zmölnig <zmoelnig@umlaeute.mur.at>
- Re: Security concerns with minified javascript code
  - From: Helmut Grohne <helmut@subdivi.de>

References:
- Security concerns with minified javascript code
  - From: Simon Josefsson <simon@josefsson.org>
- Re: Security concerns with minified javascript code
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Security concerns with minified javascript code
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>

Prev by Date: Re: Security concerns with minified javascript code
Next by Date: Re: system upgrade by systemd
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread