Re: Security concerns with minified javascript code
Bas Wijnen writes ("Re: Security concerns with minified javascript code"):
> AFAIK Debian doesn't *require* generated files to be rebuilt. For
> example, it used to be common practice for a long time to copy
> config.{guess,sub} from autotools-dev instead of regenerating them
> with autoreconf (I think there is consensus now that regenerating is
> better, but it still isn't a policy requirement).
config.{guess,sub} aren't modified by autotools, are they ? Just
copied. I think you probably want to be thinking about configure.
Not regenerating configure doesn't pose any significant risk that
we're shipping a configure script that we can't regenerate (or, at
least, regenerate an equivalent or better one). I've not heard of
people (for example) using private autoconf macros not included in
their build tree.
So I think that while you are right in the general case that
we should regenerate everything from source, I think that autotools
output might reasonably get an exception. There might be other
possible exceptions.
The key point is that we want to be confident that we can modify what
are supposedly the input files, regenerate the output files, and get a
working package.
> I don't see why javascript minification would be different from C
> compilation in a way that would lead to a different way of handling
> it.
In practice, given the widely adopted poor practice surrounding
webapps in general and minified javascript in particular, I think that
the only way we can be confident enough that we have useable source
code is to actually use what we think is the source code.
Ian.
Reply to: