On Wed, May 23, 2018 at 12:16 AM Greg Stein <gst...@gmail.com> wrote:
> On Mon, May 21, 2018 at 2:52 AM Justin Mclean <jus...@classsoftware.com> > wrote: > > > Hi, > > > > > Javascript code that is minified or combined in any major way is much > > more > > > like binary code in that respect. It is true that somebody *could* > > inspect > > > the correlation, but it is not true that this inspection is either > > normally > > > done or easily done. > > > > Thanks Ted I’ve not thought of it in that way before. I've seen several > > source releases that include minified javascript I'm just curious what > > people think about this. > > > > Do people think it OK to include minified JS in a source release if: > > 1. It's ASF developed code and the full unminified source code is > included > > as well. > > > > Absolutely. > > Also agree, yes. > Think "autoconf" ... the resulting "configure" file is as opaque as a > minified JS file or a binary. Nobody edits/modifies that shell script. And > we've been doing this for *years* ... it's natural and normal. > > I agree. It's only a problem if the project does not include the original source, like in https://issues.apache.org/jira/browse/THRIFT-4119 (an outstanding omission of source issue currently described as "intended behavior"). > The general rule is "don't place generated artifacts into source control", > but we nearly always include generated artifacts in our source releases. > > > > 2. The minified JS is 3rd party code, is identified by version (and thus > > can be checked via a comparison with the canonical minified version) > > > > I recommend using a CDN for these, when possible (eg. bootstrap and jquery) > as noted else-thread. That works well for the end-user, and avoids many of > these questions. > > Accumulo recently addressed a similar situation. We ended up bundling non-minimized, but made the webapp configurable, in case users want to switch to a non-bundled minimized version, a more up-to-date version (jQuery gets a lot of security updates), or one from their preferred CDN. I would strongly agree with Greg's recommendation to use a CDN by default... but if you need to bundle... making it user-configurable might be an option. There might be another good reason to avoid bundling minified versions, and this reason specifically applies to *minified* (obfuscated) source (rather than to all generated code): that is, it's not considered "free software" according to the Free Software Foundation ( http://www.gnu.org/philosophy/free-sw.html), nor are they considered "open source" according to the Open Source Initiative (http://opensource.org/osd). Of course, these definitions aren't necessarily ASF definitions... but they do tend to be respected definitions (this was first brought to my attention by the Fedora/RedHat community, which tends to be very strict about these things). > Cheers, > -g >
