[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

On Tue, 01 Sep 2015, Vincent Bernat wrote:
>  1. Upstream may not ship this source but only the minified version
>  because the JS code is just a dependency and some upstream are used
>  to just ship the minified source. We can recover the original code
>  from another source but there is a risk that this is not really the
>  original code because many JS projects have a modular build (jQuery,
>  modernizr, ...). This is what Raphael is explaining for Wordpress (I
>  think).

This is precisely why the actual source code is required. This is no
different than a C program shipping a .a file. Perhaps one from a
specific version of a library from which we may have the source code but
which may or may not have been modified in some way which is absolutely
essential for the functioning of the code, but not noted anywhere.

It sucks that this is difficult, but freedom zero is really important,
and requires source code. I mean, we're still working with upstreams who
write C code, and that's been non-controversial for decades.

Don Armstrong                      http://www.donarmstrong.com

As nightfall does not come at once, neither does oppression. In both
instances, there is a twilight when everything remains seemingly
unchanged. And it is in such twilight that we all must be most aware
of change in the air -- however slight -- lest we become unwitting
victims of the darkness.
 -- William O. Douglas

Reply to: