Vincent Bernat writes ("Re: Security concerns with minified javascript code"):
> My point is not that's a good idea. My point is that this has been
> tolerated for years while there was an easy workaround solution (running
> autoreconf).It was only tolerated because problems (that is, packages containing code that cannot be modified and rebuilt) were rare. (Although not unknown, sadly, it appears.) > It's "unfair" to ask packages using JS stuff to be > "perfect" right now while the difficulties are far greater. I'm sorry to say that the very fact that the difficulties are more severe is an argument /against/ tolerating un-rebuilt minified js. If in practice it were almost always easy to edit the unminified source, and rebuild the minified version, to generate a working package, then we would probably tolerate the deviation from best practice implied by not actually regenerating. > I would also like to stress that all this stuff is DFSG-compliant. We are arguing about the interpretation of the DFSG, so I'm afraid that this claim doesn't add anything. Ian.
