At Tue, 1 Sep 2015 18:56:45 +0200, Raphael Hertzog wrote: > For me, the javascripts bits in wordpress/publican are not part of the > product, they are external libraries whose preferred form of use is > by embedding a copy of the library... that sucks but it's the way it is. > > I do not see significant value in extending my packaging to rebuild > the minified files from source as part of the wordpress/publican source > package. On the opposite, it has a significant cost: > - I have to add the sources when upstream does not ship them > (which is not a problem for many upstreams since the BSD-ish > licences do not require you to provide the sources) > - ensure the sources are in sync with the minified copy > (even when friendly upsreams provide the required sources > on our request, they sometimes updates only one the minified file > and forget about the sources in some other directory) > - if the minifier is not the same as upstream, it will create > a divergence with upstream and can always be a source of > suspicion when we report issues to upstream...
I do see at least one very significant advantage of rebuilding: it's a lot easier to check that no malicious code is inserted. And if I understand you correctly you're shipping minified files modified by upstream for which there might not even be complete up-to-date source available at all, so how do you know that neither upstream nor someone who compromised the server used by upstream inserted any backdoor in the minified file? What you're saying is like it's fine to have a precompiled static auxiliary C library that get's linked into the big main program because making sure that you've got the correct corresponding source for that small library is hard, the whole world just uses the static library anyway and in case we do have the correct source then we probably don't use the exact same compiler as upstream so the object files would diverge from upstream. Doesn't that sound a bit ridiculous if we're talking about C? So why would it be okay if we're talking about javascript? Kind regards, Jeroen Dekkers