Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Ben Finney <ben+debian@benfinney.id.au>
Date: Sun, 30 Aug 2015 13:36:23 +1000
Message-id: <[🔎] 85fv31curs.fsf@benfinney.id.au>
References: <[🔎] 20150825140451.GA991@jwilk.net> <[🔎] 87r3mro0zr.fsf@zoro.exoscale.ch> <[🔎] 3286173.kHpSARAV8N@kitterma-e6430> <[🔎] 20150825171712.2038.86835@auryn.jones.dk> <[🔎] 20150825175820.GF16029@spark.dtdns.net> <[🔎] 87y4gzm5qs.fsf@zoro.exoscale.ch> <[🔎] 20150825223741.GH16029@spark.dtdns.net> <[🔎] 87d1yamx2y.fsf@zoro.exoscale.ch> <[🔎] 20150827220443.GJ16029@spark.dtdns.net> <[🔎] m36140otnx.fsf@neo.luffy.cx> <[🔎] 20150830021249.GA9269@virgil.dodds.net>

Steve Langasek <vorlon@debian.org> writes:

> […] Nevertheless, for packages that *are* in Debian, we should expect
> that the source package contains the *full* corresponding source code
> for any minified javascript files. If we can't rebuild it then we
> don't actually have the source, and that's a practical as well as
> philosophical problem for Debian and for our users.
>
> Yes, packaging a new and fast-moving ecosystem according to Debian's
> standards is a lot of work. Let's figure out the best way to do that
> work, instead of pretending that Debian's standards don't matter.

Thank you Steve, that's a succinct and clear statement of the position
I've been struggling to express so plainly.

My (small, to date) efforts to package works containing JavaScript make
it clear that this is a problem which continues to increase in scale.
It's one that we need the wider community beyond the Debian project to
engage with; but it does at least require the Debian project to be clear
about what is and isn't acceptable.

-- 
 \         “Nature hath given men one tongue but two ears, that we may |
  `\          hear from others twice as much as we speak.” —Epictetus, |
_o__)                                                      _Fragments_ |
Ben Finney

Reply to:

References:
- Re: Security concerns with minified javascript code
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Security concerns with minified javascript code
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: system upgrade by systemd
Next by Date: Re: system upgrade by systemd
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread