-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 25/04/14 17:40, Neil Williams wrote: > On Fri, 25 Apr 2014 16:47:41 +0200 Jeroen Dekkers > <jer...@dekkers.ch> wrote: > >> At Fri, 25 Apr 2014 14:58:35 +0200, Daniel Pocock wrote: >>> There is no doubt in my mind that if the rules are not strict >>> then sooner or later somebody will sneak something bad into >>> some minified Javascript - maybe it will happen upstream and >>> the DD won't even be aware of it. >> >> Yes, and that's why javascript shipped in binary packages should >> be build from source and we should not copy minified javascript >> files from upstream. I think there isn't much disagreement about >> that part. But if the minified javascript files in the upstream >> tarball aren't used when building the binary packages because the >> javascript libraries are already packaged in Debian, then it >> isn't possible that something bad sneaks in our packages. So why >> repack the upstream tarball? >> >> I don't really see any value in repacking every upstream tarball >> that has a minified copy of jQuery. > When FTP masters approve a package from NEW, they might well see that the js is not really in use - but somebody (upstream or maintainer) may change something after 6 months and the js does get used -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCAAGBQJTWpyKAAoJEOm1uwJp1aqDBtAP+wTz77QSufMFsbV9NrMCYlnk UmRqSWuZLOxh20njiASkqKRK7QMdSQqlvHgr9jsl7CwVEUuoBF0AEe/+Agg0ZPg3 0vR3MndrRHr7feb3NjgQW7KcJzh4HOonMe7BCWRoXjMRfwP5FdG1Oy+ARrKIa/f4 p3b19qu8WxbcU3560Xpr/8jiuOIvQzje+J+QPCaq7xe7bdjs4BeEDAl4T0c6yH3H vH8tAIheUGYIKf7y49EupLYwyi7iPnDIcAmlT5RCiUnjgrEJEhUYcq9uagvh+9Xj 0aqIE9Bvyq/F8Xm2gk8k1CJIztf6WbmUlLyN31qOpenVHz+Uc0qNhpma5LFmlBVR +1EByOiS5qufEp51dBj+O09ZWT0y0JaVFTvpmNfT4nELutU23I0dNj2OhWtq6ROA ENo5zOO4Lu7OU8PXWpeWaDvdUX7uFt5Xn7emIxOC2pwqHhSeAQdmadT/25c6lUZU XeLzu4drfGgFnr3I6iIqZbkVV1gATtMZnBmRgrZQWvo3eCbvDTeglLxTyHNKf4Or V9Cw1jzESQsWQ1pLWVGBMl86qmhqH93aTUvVwEZJU73yK2YQ9rCre1MNFOdWu/Ay QurrBBUcOAFRVl0WuE5vhiXoN7qWNFwO8AkTkcnJxGT24Dn2nk04FYNEnYtYDepf oIf9kGD5p8gy7VBD/5Qc =J2Dn -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/535a9c8a.60...@pocock.com.au