[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

Vincent Bernat, le Wed 02 Sep 2015 11:20:32 +0200, a écrit :
>  ❦  2 septembre 2015 10:18 +0200, Samuel Thibault <sthibault@debian.org> :
> >> Or maybe you propose to just ship the whole "node_modules" directory
> >> (which has all the dependencies) with jQuery sources?
> >
> > That'd be a lot better than nothing.
> 
> OK. Also, node_modules for jQuery is 76M (for 3.x, 70M for 2.x).

Is is arch:all?  If so, I guess 76M is completely fine.

> >> This would incur some work on d/copyright and I don't see like this
> >> would be a good practice.
> >
> > Yes, but that work on d/copyright is *needed*: if we don't know for sure
> > that the compiler itself is really free, then we can't call the result
> > free and put it in main.
> 
> Yes, but at each release, node_modules will need to be regenerated and
> inspected again.

Which maps to the fact that we need to continuously make sure that the
software we're basing on is free.

Samuel
Reply to: