Hi François-Régis,

2014-03-25 23:34 GMT+01:00 François-Régis <f...@miradou.com>:
> I should have said "A pkg-javascript policy could be we don't embed
> minified files into orig tarball"

This is correct when Debian packager == upstream maintainer. For most
packages, that is not the case.

The current policy (we need to have that documented on [0]) is that if
the upstream tarball contains minified files, the upstream tarball
must be repackaged to exclude these files. The Debian package then
uses the repackaged tarball.

The current policy is made using the assumption that minified == compiled.
For my information: Has this ever clearly and definitively been established?

I agree that we shouldn't be redistributing *compiled* software that
we can't guarantee hasn't been fiddled with. That is indeed very
difficult to do with e.g. a compiled C program.
Minified files is a practice in the JavaScript developer community to
provider smaller files (mainly for performance reasons), but they
remain JavaScript scripts, only harder for a human to read. If you
look at the Wikipedia article (obvious mention about possible
unreliability applies) about minification [1], it doesn't compare it
to compilation (only mention of "compil*" is about the Closure
compiler, which is not what we're talking about).

To help make this situation clearer, can somebody point us to (1) the
exact part of the DFSG or policy that we're using to base our "exclude
minified files from orig tarball" policy and (2) where discussions
have been led with folks outside of our team (e.g. -devel) about the
undistributable character of minified files in upstream tarballs?

[0] https://wiki.debian.org/Javascript/Policy
[1] https://en.wikipedia.org/wiki/Minification_(programming)

Pkg-javascript-devel mailing list

Reply via email to