On 12-06-15 at 02:20pm, Raphaël Hertzog wrote: > It would be nice if you could also provide the various *.min.js files > that upstream does provide. > > I understand that you provide jquery.ui.min.js which includes > everything but there are plenty of applications which embed a subset > of the various *.min.js files (in my case Wordpress) and it would be > nice if we could replace them with a symlink. > > Ideally you would even provide pristine copy of those files so that we > can more easily identify when they are really the same files or not > (this means that you should not minify them during build unless you > have changed the original file as well). This is particularly > interesting so that people can use the "deduplicate" command of > dh-linktree instead of blindly replacing the files by symlinks.
I agree that all[1] javascript files offered for browser use (i.e. below /usr/share/javascript/) should include a minified variant. I disagree, however, that upstream minification should be used, as it raise the risk of flaws or mallice passed on unnoticed from upstream to Debian: changes to minified files cannot be checked with simple "git diff" as is the case for most[2] upstream preferred source formats. Perhaps dh-linktree could be extended to check against hashes too, and a packaging helper tool could be developed to generate lists of (alternative) hashes for files shipped with binary packages. Regards, - Jonas [1] when it makes sense - i.e. not e.g. when file is too small to gain any benefit from minification. [2] at least one project - etoys - use a binary format as preferred source format, and for that very reason is placed in non-free even if DFSG-free, due to the Debian Security Team judging it too difficult to reliably handle eventually security patches for it. -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: Digital signature
