Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Samuel Thibault <sthibault@debian.org>
Date: Fri, 28 Aug 2015 12:03:16 +0200
Message-id: <[🔎] 20150828100316.GB2732@var.bordeaux.inria.fr>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20150828103252.5fc3d4eb@sylvester.codehelp>
References: <[🔎] 20150825223741.GH16029@spark.dtdns.net> <[🔎] 87d1yamx2y.fsf@zoro.exoscale.ch> <[🔎] 20150827220443.GJ16029@spark.dtdns.net> <[🔎] 878u8wl3wy.fsf@hope.eyrie.org> <[🔎] 20150828014648.GL16029@spark.dtdns.net> <[🔎] m3y4gwnern.fsf@neo.luffy.cx> <[🔎] 8737z3vpw8.fsf@whist.hands.com> <[🔎] 87fv33et1i.fsf@zoro.exoscale.ch> <[🔎] 20150828084516.GY2641@var.home> <[🔎] 20150828103252.5fc3d4eb@sylvester.codehelp>

Neil Williams, le Fri 28 Aug 2015 10:32:52 +0100, a écrit :
> On Fri, 28 Aug 2015 10:45:16 +0200
> Samuel Thibault <sthibault@debian.org> wrote:
> 
> > Vincent Bernat, le Fri 28 Aug 2015 10:06:17 +0200, a écrit :
> > > Maybe it can be trimmed a bit more, but that's still 239 unique
> > > dependencies.
> > 
> > Note that you don't have to make that 239 debian packages, you could
> > as well just ship them all in one package, as long as the whole code
> > passes NEW, i.e. all their copyrights are fine.
> 
> Depends how many upstreams are involved and therefore how many release
> schedules.

As long as we have a set that works, we are fine. Upstream has to have
one anyway, we can just take that one.

> I still find it hard to believe that *so* much code is required to
> minify JS. The excuse that JS is "moving fast" is nonsense.

I would rather say "worrying" actually.

> Why isn't there a KISS tool to do this? Is it all just special
> snowflake optimisations for what has to be / should be a simple process
> of removing whitespace and collapsing the formatting?

No, it also modifies the code, e.g. turning !foo && !bar into
!(foo || bar), which is one character less.

I wonder why mere gzip compression is not used. Don't all browsers
support Accept-Compress: gzip?

Samuel

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>

References:
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Russ Allbery <rra@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Philip Hands <phil@hands.com>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Security concerns with minified javascript code
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: Re: Security concerns with minified javascript code
Next by Date: Re: Security concerns with minified javascript code
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread