[Pkg-javascript-devel] Bug#679665: Bug#679665: jquery: build-deps not satisfiable in wheezy
Jonas Smedegaard
dr at jones.dk
Thu Jul 19 08:46:54 UTC 2012
On 12-07-19 at 10:34am, Julien Cristau wrote:
> On Thu, Jul 19, 2012 at 10:32:25 +0200, Jonas Smedegaard wrote:
>
> > A user may - directly or via a dependent package - rely on the
> > minified version being a file, even if *other* files in this package
> > is usable only when webserver has relaxed its security to follow
> > symlinks.
> >
> I'm still not following, sorry. How would one "rely" on such a thing?
The very purpose of minified JavaScript files is to reduce download
times when serving the files via a slow connection (typically http over
a WAN).
Some http daemons follow symlinks and serve their source, but some does
not by default to limit risk of security flaws.
If I install e.g. Apache2 + Drupal + jquery and have apache configured
to not follow symlinks (either because that's the default of Apache2 or
because I changed the settings to tighten security) then upgrading to a
jquery package that provides the minified file as a symlink instead of a
real file as before, my website will be broken by that package update.
Does it make sense now?
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20120719/630242a2/attachment.pgp>
More information about the Pkg-javascript-devel
mailing list