[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

* Raphael Hertzog <hertzog@debian.org> [150901 12:57]:
> Because we have alternative "compilers" (aka minifier) available to
> recreate another minified file thas should work just as well.

No.  Debian does not allow you to ship a compiled C program that was
compiled elsewhere; the maintainer or a buildd is responsible for taking
the source and creating an executable.  The same applies to minified JS.
I don't see how anyone can argue that minified JS is different.

(And besides, "different but works just as well" is not even close to
the same as "could be built from source, but just wasn't".)

Sometimes doing the right thing is hard.  The GFDL issue is an example;
it took a large effort and a lot of time, but we finally did it.  We did
not remove all GFDL source in one shot.  We decided it really was a
problem, started filing bugs, and started fixing them.  I believe there
was a release in the middle of the purge that ignored (for RC purposes)
those bugs, but we did eventually get all GFDL-licenced material moved
to non-free.

We should do the same for minified JS that is not built using tools in


Reply to: