Jakub Wilk dijo [Tue, Aug 25, 2015 at 04:04:52PM +0200]: > >>To me the problem suggests that it is important from a security and > >>accountability perspective to 1) include the human-readable source code > >>of JavaScript in Debian packages, and 2) to compile the human-readable > >>source code into a minified code (if required) during package builds, > >>using a JS-minifier that is included in Debian. > >>Thoughts? > > > >This is anyway mandatory in Debian, > > Do we actually require re-minifying JS code at build time?
If your upstream does not ship the pre-minified JS code, you must include it in the packaging (i.e. via debian/missing-sources/ ) You can choose whether to re-minify or not; I do re-minify for the same reason upstream does (usually, reduced bandwidth or a lower amount of requests due to combining several source files together). You should only ship upstream's non-minified code if you can reliably produce identical code to it.
