[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

 ❦  2 septembre 2015 09:28 +0200, Samuel Thibault <sthibault@debian.org> :

>> Healthy language communities have their own metadata systems and
>> standardized build systems that allow Debian packaging to be nearly
>> automated, *provided* that we use the same unit of distribution as
>> upstream.
> I understand that using the same unit of distribution helps, but I'd
> tend to think that with not too much work you can achieve automated
> packaging of collections of upstream packages.
> Notably, the whole minification toolchain could be uploaded as just one
> package, using on each upload the set of versions that upstream is known
> to be using.

There is no such thing as a "whole minification toolchain".

If you talk about uglifyjs or the like, it is already packaged and
doesn't solve all the problems we have (see my message to Odyx,
<[🔎] m337yyylr4.fsf@neo.luffy.cx>).

If you talk about Grunt, Grunt comes with a lot of plugins (and does
almost nothing without those) and each upstream will require different
plugins with different versions (Grunt plugin versions are evolving
fast). See the tree I posted for jQuery 3.x in
<m3y4gwnern.fsf@neo.luffy.cx>. All this dependency chain is maintained
by a variety of upstreams with different release schedules and goals.
Let the data structure the program.
            - The Elements of Programming Style (Kernighan & Plauger)

Attachment: signature.asc
Description: PGP signature

Reply to: