[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

 ❦  2 septembre 2015 10:18 +0200, Samuel Thibault <sthibault@debian.org> :

>> Or maybe you propose to just ship the whole "node_modules" directory
>> (which has all the dependencies) with jQuery sources?
> That'd be a lot better than nothing.

OK. Also, node_modules for jQuery is 76M (for 3.x, 70M for 2.x). I still
find using pre-minification jquery.js to be a better alternative due to
the fact is far far simpler. But whatever the consensus we may reach.

>> This would incur some work on d/copyright and I don't see like this
>> would be a good practice.
> Yes, but that work on d/copyright is *needed*: if we don't know for sure
> that the compiler itself is really free, then we can't call the result
> free and put it in main.

Yes, but at each release, node_modules will need to be regenerated and
inspected again.

> I however agree that it seems poor practice to duplicate these build
> modules in every packages. But if the required versions are different,
> there is no real other way. If there is a set of modules which are known
> to be used widely and with stable versions, then they could be put in a
> shared package.

I can't say for sure.

>> But this would solve some of the problems, yes.
> What problems remain?

Parametrized and custom builds. But we don't have to solve everything at
Every cloud engenders not a storm.
		-- William Shakespeare, "Henry VI"

Attachment: signature.asc
Description: PGP signature

Reply to: