On Mon, May 21, 2018 at 2:52 AM Justin Mclean <jus...@classsoftware.com> wrote:
> Hi, > > > Javascript code that is minified or combined in any major way is much > more > > like binary code in that respect. It is true that somebody *could* > inspect > > the correlation, but it is not true that this inspection is either > normally > > done or easily done. > > Thanks Ted I’ve not thought of it in that way before. I've seen several > source releases that include minified javascript I'm just curious what > people think about this. > > Do people think it OK to include minified JS in a source release if: > 1. It's ASF developed code and the full unminified source code is included > as well. > Absolutely. Think "autoconf" ... the resulting "configure" file is as opaque as a minified JS file or a binary. Nobody edits/modifies that shell script. And we've been doing this for *years* ... it's natural and normal. The general rule is "don't place generated artifacts into source control", but we nearly always include generated artifacts in our source releases. > 2. The minified JS is 3rd party code, is identified by version (and thus > can be checked via a comparison with the canonical minified version) > I recommend using a CDN for these, when possible (eg. bootstrap and jquery) as noted else-thread. That works well for the end-user, and avoids many of these questions. Cheers, -g
