-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Oct 21, 2016 at 07:26:43AM +0200, Vincent Bernat wrote: > It would be as easy for the security team to modify the unminified version > than the "upper" upstream version of the source.
The release team has just decided that "browserified" files are not source. Please stop suggesting that they are just a different kind of source; if you really want to claim that, start a GR over it to overrule the release team. (Please don't; it'd be a waste of time because AFAICS it stands no chance of passing, in fact I'd be surprised if you'd get enough seconds.) > I suppose that (like me), Ondřej Surý does not want to deal with the > complexity of building JS from the "upper" source for the benefit of > people that don't exist. Aside from the fact that those people don't need to exist, as stated in another email, they do. I'm one of them. The fact that I can retrieve the source of the software I'm using and it will actually build from that source is one of the main features that I like Debian for. And when I make changes, I want to send them back upstream, so "browserified" files are not good enough for me. Thanks, Bas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJYDbqYAAoJEJzRfVgHwHE64SIP/RpZOrqwXyvWRKyqE1+2rBiz GRxe0NLHK5OBGkg64P3jwQyz+FrH44U5OQ3GrJgOzRkaqFCb37guZYy+fhpFa7DX HwxT/fB+woQwry5dOs0jicmT8xEp+mQqBKRI8jM/BX73LVfInsOb6XVzSFEMkvSj O8L7+0Q7lmHOHizmPCbM311fNkWYkdVzabSUb4/1vnQZYqZKVp6wr+W0f6mZi040 ULHstz6HhcjWXEKnbxc3Ey6biDZNSF71vP/N3rTN5Kkk/kJ9/dr0NInzF3Uzw2su 8y803eh0uucEE+LXxe1BoD3KOi7FEZX37wC5ogSvWCHvq1mddYZPxIUgf/4lZRdp JalQ1XvUyNB+nW/p7L/9+Tn6aYSyCQ84Kas9Y9PaymzTuBa2XrCuhY2h2k6/v+SX t+PmyzX3oeBVscPWq/aP3Ee/uf3g3y6YNuIBjaLD9gFipvz2g/E7mZ58f41LdPWd V+bYptYtv+essnldA/0Pck+fRA9mpSWrJ8PR98CuAgdZ11n9LkgS/xmYwvXWDOZZ y7VslGA8LkO8Pn8tWSVMKSBSPjwHqKixWgG41zq7PKqVdT4b37cWAMCGgGwJRIwC rWInHvmDDtw5RoT7JVFZcUnxw2RWuOcIeRLyHlKmFOZNls0bTlFbre00KYAp7zXP mkD0wNL6TxTu/HDH4MQf =p3i7 -----END PGP SIGNATURE-----