Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Russ Allbery <rra@debian.org>
Date: Fri, 28 Aug 2015 09:25:37 -0700
Message-id: <[🔎] 87613z8jni.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20150828103252.5fc3d4eb@sylvester.codehelp> (Neil Williams's message of "Fri, 28 Aug 2015 10:32:52 +0100")
References: <[🔎] 20150825175820.GF16029@spark.dtdns.net> <[🔎] 87y4gzm5qs.fsf@zoro.exoscale.ch> <[🔎] 20150825223741.GH16029@spark.dtdns.net> <[🔎] 87d1yamx2y.fsf@zoro.exoscale.ch> <[🔎] 20150827220443.GJ16029@spark.dtdns.net> <[🔎] 878u8wl3wy.fsf@hope.eyrie.org> <[🔎] 20150828014648.GL16029@spark.dtdns.net> <[🔎] m3y4gwnern.fsf@neo.luffy.cx> <[🔎] 8737z3vpw8.fsf@whist.hands.com> <[🔎] 87fv33et1i.fsf@zoro.exoscale.ch> <[🔎] 20150828084516.GY2641@var.home> <[🔎] 20150828103252.5fc3d4eb@sylvester.codehelp>

Neil Williams <codehelp@debian.org> writes:

> I still find it hard to believe that *so* much code is required to
> minify JS. The excuse that JS is "moving fast" is nonsense. The reality
> would appear to be that nobody actually *cares* about the mess, they
> just use it.

This is almost certainly correct.

> Usable software needs usable tools.

The problem is that this *is* usable for nearly all the people who
currently use it, who just run one command to install it and have all
those dependencies pulled from a remote repo for them.  Because the
dependency installation process is so easy, they think no more about
adding new dependencies than we think about installing some application
with apt that happens to require a bunch of shared libraries.

In other words, the people developing and using this tool don't see this
as a problem, and therefore don't care about fixing it.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Steve McIntyre <steve@einval.com>

References:
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Russ Allbery <rra@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Philip Hands <phil@hands.com>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Security concerns with minified javascript code
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: Summary of the DebConf firmware discussion
Next by Date: Re: Security concerns with minified javascript code
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread