Security concerns with minified javascript code

To: debian-devel@lists.debian.org

Subject: Security concerns with minified javascript code

From: Simon Josefsson <simon@josefsson.org>

Date: Mon, 24 Aug 2015 13:54:21 +0200

Message-id: <[🔎] 87wpwk7vgy.fsf@latte.josefsson.org>

I believe the blog post below has relevance to Debian's stance on including minified JavaScript in packages: https://zyan.scripts.mit.edu/blog/backdooring-js/ To me the problem suggests that it is important from a security and accountability perspective to 1) include the human-readable source code of JavaScript in Debian packages, and 2) to compile the human-readable source code into a minified code (if required) during package builds, using a JS-minifier that is included in Debian. Thoughts? Before I regarded the problem with minified javascript as a nuisance, but I have changed my mind. /Simon