Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Helmut Grohne <helmut@subdivi.de>
Date: Mon, 31 Aug 2015 17:20:33 +0200
Message-id: <[🔎] 20150831152032.GC14022@alf.mars>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 878u8wl3wy.fsf@hope.eyrie.org>
References: <[🔎] 20150825140451.GA991@jwilk.net> <[🔎] 87r3mro0zr.fsf@zoro.exoscale.ch> <[🔎] 3286173.kHpSARAV8N@kitterma-e6430> <[🔎] 20150825171712.2038.86835@auryn.jones.dk> <[🔎] 20150825175820.GF16029@spark.dtdns.net> <[🔎] 87y4gzm5qs.fsf@zoro.exoscale.ch> <[🔎] 20150825223741.GH16029@spark.dtdns.net> <[🔎] 87d1yamx2y.fsf@zoro.exoscale.ch> <[🔎] 20150827220443.GJ16029@spark.dtdns.net> <[🔎] 878u8wl3wy.fsf@hope.eyrie.org>

On Thu, Aug 27, 2015 at 04:14:53PM -0700, Russ Allbery wrote:
> Last time I checked, Doxygen includes minified Javascript in all of its
> generated output.  Would we have to move every piece of Doxygen-generated
> documentation into a separate package so that we could put it in contrib,
> or strip it from our packages?  Maybe someone has fixed this in Doxygen
> somehow?

Indeed, Doxygen used to ship minified JavaScript and the corresponding
source was attached to the Debian packaging, but not regenerated during
build. Since then this has changed and the doxygen package does run the
yui compressor during package build ensuring that the minification is
redoable. The current state is documented at
/usr/share/doc/doxygen/README.jquery. Last time I wondered whether
packages that use Doxygen during build, should also emit a Built-Using
header, it was agreed that Built-Using has a different purpose. So even
though the situation could be improved here, it currently is DFSG
compatible and build from source is ensured. Help with fixing the
embedding issue is welcome of course. When will we have dynamic linking
for JavaScript libraries?

Helmut

Reply to:

References:
- Re: Security concerns with minified javascript code
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Security concerns with minified javascript code
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: system upgrade by systemd
Next by Date: Re: Security concerns with minified javascript code
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread