You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by Justin Mclean <ju...@classsoftware.com> on 2018/05/21 07:52:39 UTC
Minified Javascript in source releases (was Re: [VOTE] Release Apache
ECharts (incubating) 4.1.0.rc3)
Hi,
> Javascript code that is minified or combined in any major way is much more
> like binary code in that respect. It is true that somebody *could* inspect
> the correlation, but it is not true that this inspection is either normally
> done or easily done.
Thanks Ted I’ve not thought of it in that way before. I've seen several source releases that include minified javascript I'm just curious what people think about this.
Do people think it OK to include minified JS in a source release if:
1. It's ASF developed code and the full unminified source code is included as well.
2. The minified JS is 3rd party code, is identified by version (and thus can be checked via a comparison with the canonical minified version)
Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Minified Javascript in source releases (was Re: [VOTE] Release
Apache ECharts (incubating) 4.1.0.rc3)
Posted by Christopher <ct...@apache.org>.
On Wed, May 23, 2018 at 12:16 AM Greg Stein <gs...@gmail.com> wrote:
> On Mon, May 21, 2018 at 2:52 AM Justin Mclean <ju...@classsoftware.com>
> wrote:
>
> > Hi,
> >
> > > Javascript code that is minified or combined in any major way is much
> > more
> > > like binary code in that respect. It is true that somebody *could*
> > inspect
> > > the correlation, but it is not true that this inspection is either
> > normally
> > > done or easily done.
> >
> > Thanks Ted I’ve not thought of it in that way before. I've seen several
> > source releases that include minified javascript I'm just curious what
> > people think about this.
> >
> > Do people think it OK to include minified JS in a source release if:
> > 1. It's ASF developed code and the full unminified source code is
> included
> > as well.
> >
>
> Absolutely.
>
>
Also agree, yes.
> Think "autoconf" ... the resulting "configure" file is as opaque as a
> minified JS file or a binary. Nobody edits/modifies that shell script. And
> we've been doing this for *years* ... it's natural and normal.
>
>
I agree. It's only a problem if the project does not include the original
source, like in https://issues.apache.org/jira/browse/THRIFT-4119 (an
outstanding omission of source issue currently described as "intended
behavior").
> The general rule is "don't place generated artifacts into source control",
> but we nearly always include generated artifacts in our source releases.
>
>
> > 2. The minified JS is 3rd party code, is identified by version (and thus
> > can be checked via a comparison with the canonical minified version)
> >
>
> I recommend using a CDN for these, when possible (eg. bootstrap and jquery)
> as noted else-thread. That works well for the end-user, and avoids many of
> these questions.
>
>
Accumulo recently addressed a similar situation. We ended up bundling
non-minimized, but made the webapp configurable, in case users want to
switch to a non-bundled minimized version, a more up-to-date version
(jQuery gets a lot of security updates), or one from their preferred CDN. I
would strongly agree with Greg's recommendation to use a CDN by default...
but if you need to bundle... making it user-configurable might be an option.
There might be another good reason to avoid bundling minified versions, and
this reason specifically applies to *minified* (obfuscated) source (rather
than to all generated code): that is, it's not considered "free software"
according to the Free Software Foundation (
http://www.gnu.org/philosophy/free-sw.html), nor are they considered "open
source" according to the Open Source Initiative (http://opensource.org/osd).
Of course, these definitions aren't necessarily ASF definitions... but they
do tend to be respected definitions (this was first brought to my attention
by the Fedora/RedHat community, which tends to be very strict about these
things).
> Cheers,
> -g
>
Re: Minified Javascript in source releases (was Re: [VOTE] ReleaseApache ECharts (incubating) 4.1.0.rc3)
Posted by 吴晟 Sheng Wu <wu...@foxmail.com>.
>>... Do people think it OK to include minified JS in a source release if:
>> 1. It's ASF developed code and the full unminified source code is included
>> as well.
+1, and I suggest you could provide a document to help people, who want to verify the minified js. Such as: how to generate the minified js from the unminified source code.
------------------
Sheng Wu
Apache SkyWalking
------------------ Original ------------------
From: "Bertrand Delacretaz"<bd...@codeconsult.ch>;
Date: Wed, May 23, 2018 04:10 PM
To: "Incubator General"<ge...@incubator.apache.org>;
Subject: Re: Minified Javascript in source releases (was Re: [VOTE] ReleaseApache ECharts (incubating) 4.1.0.rc3)
On Wed, May 23, 2018 at 6:16 AM, Greg Stein <gs...@gmail.com> wrote:
> On Mon, May 21, 2018 at 2:52 AM Justin Mclean <ju...@classsoftware.com>
> wrote:
>>... Do people think it OK to include minified JS in a source release if:
>> 1. It's ASF developed code and the full unminified source code is included
>> as well.
>>
> Absolutely...
Same here, as long as there's a documented way (automated ideally) of
recreating the minified version, people can find out themselves that
it's the correct version, if they want to check.
-Bertrand
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Minified Javascript in source releases (was Re: [VOTE] Release
Apache ECharts (incubating) 4.1.0.rc3)
Posted by Bertrand Delacretaz <bd...@codeconsult.ch>.
On Wed, May 23, 2018 at 6:16 AM, Greg Stein <gs...@gmail.com> wrote:
> On Mon, May 21, 2018 at 2:52 AM Justin Mclean <ju...@classsoftware.com>
> wrote:
>>... Do people think it OK to include minified JS in a source release if:
>> 1. It's ASF developed code and the full unminified source code is included
>> as well.
>>
> Absolutely...
Same here, as long as there's a documented way (automated ideally) of
recreating the minified version, people can find out themselves that
it's the correct version, if they want to check.
-Bertrand
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Minified Javascript in source releases (was Re: [VOTE] Release
Apache ECharts (incubating) 4.1.0.rc3)
Posted by Greg Stein <gs...@gmail.com>.
On Mon, May 21, 2018 at 2:52 AM Justin Mclean <ju...@classsoftware.com>
wrote:
> Hi,
>
> > Javascript code that is minified or combined in any major way is much
> more
> > like binary code in that respect. It is true that somebody *could*
> inspect
> > the correlation, but it is not true that this inspection is either
> normally
> > done or easily done.
>
> Thanks Ted I’ve not thought of it in that way before. I've seen several
> source releases that include minified javascript I'm just curious what
> people think about this.
>
> Do people think it OK to include minified JS in a source release if:
> 1. It's ASF developed code and the full unminified source code is included
> as well.
>
Absolutely.
Think "autoconf" ... the resulting "configure" file is as opaque as a
minified JS file or a binary. Nobody edits/modifies that shell script. And
we've been doing this for *years* ... it's natural and normal.
The general rule is "don't place generated artifacts into source control",
but we nearly always include generated artifacts in our source releases.
> 2. The minified JS is 3rd party code, is identified by version (and thus
> can be checked via a comparison with the canonical minified version)
>
I recommend using a CDN for these, when possible (eg. bootstrap and jquery)
as noted else-thread. That works well for the end-user, and avoids many of
these questions.
Cheers,
-g
Re: Minified Javascript in source releases (was Re: [VOTE] Release
Apache ECharts (incubating) 4.1.0.rc3)
Posted by Hen <ba...@apache.org>.
On Mon, May 21, 2018 at 4:22 PM, Ted Dunning <te...@gmail.com> wrote:
> On Mon, May 21, 2018, 21:12 Justin Mclean <ju...@classsoftware.com>
> wrote:
>
> > Hi,
> >
> > > Why does this need to be included at all? Why not just provide a
> pointer
> > to
> > > the canonical minified version?
> >
> > Most common occurrence (off the top of my head) is a minified version of
> > bootstrap for project site / documentations. So your view is that that
> > shouldn’t be included in a source release?
> >
>
> Sure. D3 and jQuery will wind up in the same boat.
>
> I would not go so far as to emphatically say not to include them, but I
> don't see the real need to include them given that they are so easily
> downloadable. A URL and a checksum keeps the distro clean.
>
Point to a CDN instead of copying into the distro?
On the one hand, one can argue a CDN is bad if someone wants to read
offline. On the other, I don't like being added to the security update
chain if there is an issue in D3/jQuery/bootstrap etc.
Hen
Re: Minified Javascript in source releases (was Re: [VOTE] Release
Apache ECharts (incubating) 4.1.0.rc3)
Posted by Ted Dunning <te...@gmail.com>.
On Mon, May 21, 2018, 21:12 Justin Mclean <ju...@classsoftware.com> wrote:
> Hi,
>
> > Why does this need to be included at all? Why not just provide a pointer
> to
> > the canonical minified version?
>
> Most common occurrence (off the top of my head) is a minified version of
> bootstrap for project site / documentations. So your view is that that
> shouldn’t be included in a source release?
>
Sure. D3 and jQuery will wind up in the same boat.
I would not go so far as to emphatically say not to include them, but I
don't see the real need to include them given that they are so easily
downloadable. A URL and a checksum keeps the distro clean.
>
Re: Minified Javascript in source releases (was Re: [VOTE] Release
Apache ECharts (incubating) 4.1.0.rc3)
Posted by Justin Mclean <ju...@classsoftware.com>.
Hi,
> Why does this need to be included at all? Why not just provide a pointer to
> the canonical minified version?
Most common occurrence (off the top of my head) is a minified version of bootstrap for project site / documentations. So your view is that that shouldn’t be included in a source release?
Thanks,
Justin
Re: Minified Javascript in source releases (was Re: [VOTE] Release
Apache ECharts (incubating) 4.1.0.rc3)
Posted by Ted Dunning <te...@gmail.com>.
On Mon, May 21, 2018 at 12:52 AM, Justin Mclean <ju...@classsoftware.com>
wrote:
> Hi,
>
> > Javascript code that is minified or combined in any major way is much
> more
> > like binary code in that respect. It is true that somebody *could*
> inspect
> > the correlation, but it is not true that this inspection is either
> normally
> > done or easily done.
>
> Thanks Ted I’ve not thought of it in that way before. I've seen several
> source releases that include minified javascript I'm just curious what
> people think about this.
>
> Do people think it OK to include minified JS in a source release if:
> 1. It's ASF developed code and the full unminified source code is included
> as well.
>
I would much rather simply provide instructions for creating the minified
version.
> 2. The minified JS is 3rd party code, is identified by version (and thus
> can be checked via a comparison with the canonical minified version)
>
Why does this need to be included at all? Why not just provide a pointer to
the canonical minified version?