Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Security concerns with minified javascript code
From: Simon Josefsson <simon@josefsson.org>
Date: Mon, 24 Aug 2015 13:54:21 +0200
Message-id: <[🔎] 87wpwk7vgy.fsf@latte.josefsson.org>

I believe the blog post below has relevance to Debian's stance on
including minified JavaScript in packages:

https://zyan.scripts.mit.edu/blog/backdooring-js/

To me the problem suggests that it is important from a security and
accountability perspective to 1) include the human-readable source code
of JavaScript in Debian packages, and 2) to compile the human-readable
source code into a minified code (if required) during package builds,
using a JS-minifier that is included in Debian.

Thoughts?

Before I regarded the problem with minified javascript as a nuisance,
but I have changed my mind.

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Thomas Goirand <zigo@debian.org>
- Re: Security concerns with minified javascript code
  - From: Dmitry Smirnov <onlyjob@debian.org>

Prev by Date: Re: Testing excuse: introduces new bugs?
Next by Date: Re: Security concerns with minified javascript code
Previous by thread: Bug#796755: RFP: mpxj-java -- library to manipulate project information in various file formats
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread