Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Jeroen Dekkers <jeroen@dekkers.ch>
Date: Wed, 02 Sep 2015 22:46:49 +0200
Message-id: <[🔎] 8737yweeh2.wl-jeroen@dekkers.ch>
In-reply-to: <[🔎] 20150901165644.GA1862@home.ouaza.com>
References: <20150831152154.GA28751@basil.wdw> <20150831064953.GA20228@home.ouaza.com> <20150831203257.GV16029@spark.dtdns.net> <[🔎] 20150901165644.GA1862@home.ouaza.com>

At Tue, 1 Sep 2015 18:56:45 +0200,
Raphael Hertzog wrote:
> For me, the javascripts bits in wordpress/publican are not part of the
> product, they are external libraries whose preferred form of use is
> by embedding a copy of the library... that sucks but it's the way it is.
> 
> I do not see significant value in extending my packaging to rebuild
> the minified files from source as part of the wordpress/publican source
> package. On the opposite, it has a significant cost:
> - I have to add the sources when upstream does not ship them
>   (which is not a problem for many upstreams since the BSD-ish
>   licences do not require you to provide the sources)
> - ensure the sources are in sync with the minified copy
>   (even when friendly upsreams provide the required sources
>   on our request, they sometimes updates only one the minified file
>   and forget about the sources in some other directory)
> - if the minifier is not the same as upstream, it will create
>   a divergence with upstream and can always be a source of
>   suspicion when we report issues to upstream...

I do see at least one very significant advantage of rebuilding: it's a
lot easier to check that no malicious code is inserted. And if I
understand you correctly you're shipping minified files modified by
upstream for which there might not even be complete up-to-date source
available at all, so how do you know that neither upstream nor someone
who compromised the server used by upstream inserted any backdoor in
the minified file?

What you're saying is like it's fine to have a precompiled static
auxiliary C library that get's linked into the big main program
because making sure that you've got the correct corresponding source
for that small library is hard, the whole world just uses the static
library anyway and in case we do have the correct source then we
probably don't use the exact same compiler as upstream so the object
files would diverge from upstream. Doesn't that sound a bit ridiculous
if we're talking about C? So why would it be okay if we're talking
about javascript?

Kind regards,

Jeroen Dekkers

Reply to:

References:
- Re: Security concerns with minified javascript code
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Bug#797820: ITP: r-cran-bayesfactor -- GNU R package providing a suite of functions for computing various Bayes factors for simple designs
Next by Date: Re: Security concerns with minified javascript code
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread