[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

On Tue, Sep 01, 2015 at 04:42:15PM +0200, Helmut Grohne wrote:
> On Tue, Sep 01, 2015 at 08:15:19AM +0200, Guido Günther wrote:
> > Couldn't we just use the non-minified versions in most situations? A
> > heavily loaded wordpress site might not be good example but e.g. doxygen
> > documentation probably doesn't suffer much from non minified JS.
> I fail to see what problem that would solve here. The minification
> happens on Debian's buildds using tools from main. What would we gain by
> not doing it?

Iff we have the tools in main to minify there's of course no reason to
ship unminified JS. One can just minify during the build.

> The context of your answer is one of security updates. Why would we want
> to do security updates for the JavaScript shipped with documentation? Do
> you see an attack vector here?
> Even assuming an attack vector, I think the easiest way here would be to
> upload a fixed Doxygen and then binNMU/nochange-NMU all reverse
> dependencies.
> Really, pulling Doxygen in this discussion is a straw man nowadays.
> Please pick better examples or arguments.

There are others. Mozilla extensions, groupware suites, etc. In many
situations going for the unminified version just solves the security
issue without any damage.

 -- Guido

Reply to: