Monday 19 October 2015

Minifying JS files with no node-uglify in main

Hi all,

There are lots of packages that have JS files to be minified, and some of them
are in main (including core JS libraries such as jquery and underscore).

In Debian the de-facto standard tool for minifying files is node-uglify (source
package uglifyjs). In Ubuntu, we do not want nodejs in main, so such packages
are patched to either have the files non-minified or to use an alternative
minifier such as yui-compressor (example: [1]).

However yui-compressor is mostly unmaintained upstream (last release was in
May 2013, compare with uglifyjs where the latest release was 5 days ago), which
means it potentially has bugs which can be used to insert backdoors to code (I
recommend reading [2]).

Also, not using node-uglify means we have Debian delta for most JS packages in
main, which in turn means we can miss some important fixes from Debian.

So my question is: based on security concerns raised above, can we reconsider
shipping nodejs and node-uglify in main, maybe with restricting its use to only
build-time JS minifying?

(Context: I have been working on modernizr which I will need in main soon, and
it also uses node-uglify in Debian.)

[1]: https://launchpad.net/ubuntu/+source/underscore/1.1.6-1ubuntu1
[2]: https://zyan.scripts.mit.edu/blog/backdooring-js/

--
Dmitry Shachnev