On 12-07-19 at 10:34am, Julien Cristau wrote:
> On Thu, Jul 19, 2012 at 10:32:25 +0200, Jonas Smedegaard wrote:
> > A user may - directly or via a dependent package - rely on the 
> > minified version being a file, even if *other* files in this package 
> > is usable only when webserver has relaxed its security to follow 
> > symlinks.
> > 
> I'm still not following, sorry.  How would one "rely" on such a thing?

The very purpose of minified JavaScript files is to reduce download 
times when serving the files via a slow connection (typically http over 
a WAN).

Some http daemons follow symlinks and serve their source, but some does 
not by default to limit risk of security flaws.

If I install e.g. Apache2 + Drupal + jquery and have apache configured 
to not follow symlinks (either because that's the default of Apache2 or 
because I changed the settings to tighten security) then upgrading to a 
jquery package that provides the minified file as a symlink instead of a 
real file as before, my website will be broken by that package update.

Does it make sense now?

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: Digital signature

Pkg-javascript-devel mailing list

Reply via email to