Bas Wijnen writes ("Re: Security concerns with minified javascript code"): > AFAIK Debian doesn't *require* generated files to be rebuilt. For > example, it used to be common practice for a long time to copy > config.{guess,sub} from autotools-dev instead of regenerating them > with autoreconf (I think there is consensus now that regenerating is > better, but it still isn't a policy requirement).
config.{guess,sub} aren't modified by autotools, are they ? Just copied. I think you probably want to be thinking about configure. Not regenerating configure doesn't pose any significant risk that we're shipping a configure script that we can't regenerate (or, at least, regenerate an equivalent or better one). I've not heard of people (for example) using private autoconf macros not included in their build tree. So I think that while you are right in the general case that we should regenerate everything from source, I think that autotools output might reasonably get an exception. There might be other possible exceptions. The key point is that we want to be confident that we can modify what are supposedly the input files, regenerate the output files, and get a working package. > I don't see why javascript minification would be different from C > compilation in a way that would lead to a different way of handling > it. In practice, given the widely adopted poor practice surrounding webapps in general and minified javascript in particular, I think that the only way we can be confident enough that we have useable source code is to actually use what we think is the source code. Ian.