[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

Vincent Bernat, le Wed 02 Sep 2015 10:10:55 +0200, a écrit :
>  ❦  2 septembre 2015 09:54 +0200, Samuel Thibault <sthibault@debian.org> :
> >> If you talk about Grunt,
> >
> > That's what I'm talking about.
> >
> >> Grunt comes with a lot of plugins (and does almost nothing without
> >> those) and each upstream will require different plugins with different
> >> versions (Grunt plugin versions are evolving fast). See the tree I
> >> posted for jQuery 3.x in <m3y4gwnern.fsf@neo.luffy.cx>.
> >
> > That's precisely what I'm talking about.
> >
> >> All this dependency chain is maintained by a variety of upstreams with
> >> different release schedules and goals.
> >
> > Sure, but apparently the set of plugin versions which fit together is
> > known?  I.e. I guess you didn't write the tree by hand?
> Yes, but it's only to compile jQuery. If I take another random project,
> I will get a different set of plugins.


> Or maybe you propose to just ship the whole "node_modules" directory
> (which has all the dependencies) with jQuery sources?

That'd be a lot better than nothing.

> This would incur some work on d/copyright and I don't see like this
> would be a good practice.

Yes, but that work on d/copyright is *needed*: if we don't know for sure
that the compiler itself is really free, then we can't call the result
free and put it in main.

I however agree that it seems poor practice to duplicate these build
modules in every packages. But if the required versions are different,
there is no real other way. If there is a set of modules which are known
to be used widely and with stable versions, then they could be put in a
shared package.

> But this would solve some of the problems, yes.

What problems remain?


Reply to: