On 12-07-19 at 10:34am, Julien Cristau wrote: > On Thu, Jul 19, 2012 at 10:32:25 +0200, Jonas Smedegaard wrote: > > > A user may - directly or via a dependent package - rely on the > > minified version being a file, even if *other* files in this package > > is usable only when webserver has relaxed its security to follow > > symlinks. > > > I'm still not following, sorry. How would one "rely" on such a thing?
The very purpose of minified JavaScript files is to reduce download times when serving the files via a slow connection (typically http over a WAN). Some http daemons follow symlinks and serve their source, but some does not by default to limit risk of security flaws. If I install e.g. Apache2 + Drupal + jquery and have apache configured to not follow symlinks (either because that's the default of Apache2 or because I changed the settings to tighten security) then upgrading to a jquery package that provides the minified file as a symlink instead of a real file as before, my website will be broken by that package update. Does it make sense now? - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: Digital signature