Re: Security concerns with minified javascript code
On Tue, Sep 01, 2015 at 04:42:15PM +0200, Helmut Grohne wrote:
> On Tue, Sep 01, 2015 at 08:15:19AM +0200, Guido Günther wrote:
> > Couldn't we just use the non-minified versions in most situations? A
> > heavily loaded wordpress site might not be good example but e.g. doxygen
> > documentation probably doesn't suffer much from non minified JS.
>
> I fail to see what problem that would solve here. The minification
> happens on Debian's buildds using tools from main. What would we gain by
> not doing it?
Iff we have the tools in main to minify there's of course no reason to
ship unminified JS. One can just minify during the build.
> The context of your answer is one of security updates. Why would we want
> to do security updates for the JavaScript shipped with documentation? Do
> you see an attack vector here?
>
> Even assuming an attack vector, I think the easiest way here would be to
> upload a fixed Doxygen and then binNMU/nochange-NMU all reverse
> dependencies.
>
> Really, pulling Doxygen in this discussion is a straw man nowadays.
> Please pick better examples or arguments.
There are others. Mozilla extensions, groupware suites, etc. In many
situations going for the unminified version just solves the security
issue without any damage.
Cheers,
-- Guido
Reply to: