[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

Vincent Bernat dijo [Wed, Sep 02, 2015 at 09:47:23AM +0200]:
> If you talk about uglifyjs or the like, it is already packaged and
> doesn't solve all the problems we have (see my message to Odyx,
> <[🔎] m337yyylr4.fsf@neo.luffy.cx>).
> If you talk about Grunt, Grunt comes with a lot of plugins (and does
> almost nothing without those) and each upstream will require different
> plugins with different versions (Grunt plugin versions are evolving
> fast). See the tree I posted for jQuery 3.x in
> <m3y4gwnern.fsf@neo.luffy.cx>. All this dependency chain is maintained
> by a variety of upstreams with different release schedules and goals.

This sounds quite similar to the situation we had with Rails (might
still have it, but I cannot say for sure, as I'm not much involved
with it anymore). Rails packages a set of Ruby libraries, each of
which has its schedule and versions.

Rails' developers "curate" such libraries, write some glue between
them (sometimes even take over their whole development), and come up
with "versions". Those versions have a stable set of libraries
presented together.

Of course, that does not (completely) solve the mess we have to deal
with when packaging Ruby, as each developer wants her code to work
with wildly differing versions of the involved "gems", and... and...

Sigh :-) You know what I mean.

But anyway — Grunt can be seen as a whole. If you just see it as a
collection of plugins, packaging them becomes just a pointless
PITA. We just cannot have different versions of hundreds of projects
in Debian and expect to maintain a decent code quality. Bad Things
(i.e. software vulnerabilities) can and will happen, and as Neil
Williams mentioned earlier on this thread, keeping track of all those
embedded code copies becomes an exponentially hard task.

Reply to: