url-to-qrcode-firefox-addon icon indicating copy to clipboard operation
url-to-qrcode-firefox-addon copied to clipboard

Published 20 hours ago verified publisher icon smoqadam

Use un-minified kjua

Open ssokolow opened this issue 5 years ago • 3 comments

I chose this extension because it doesn't even require the download and history permissions Offline QR Code Generator asks for... but it'd be a lot easier to feel confident about my choice if I didn't have to search up a Javascript prettifier to check that the bundled copy of kjua looks right.

(Plus, it'd play more nicely with git diff or gitk if someone wants to use the existing repository tools to see what changed if you upgrade it.)

ssokolow avatar Oct 02 '20 20:10 ssokolow

I think minification is not the problem. To verify integrity, we can use checksums, so we can keep the data-weight as low as possible.

I compared this version 0.4.0 with the one from https://github.com/lrsjng/kjua/blob/v0.4.0/dist/kjua.min.js with sha256sum

a3ff9d3c8b2f752eff718dd4a7d5e8c424aa9eae384ab08fed71fbb06db27956  kjua-0.4.0.min.js
a3ff9d3c8b2f752eff718dd4a7d5e8c424aa9eae384ab08fed71fbb06db27956  kjua.min.js

IT'S A MATCH :cupid:

For more information you can look here: https://itsfoss.com/checksum-tools-guide-linux/#what-is-checksum

gitbreaker222 avatar Mar 29 '21 16:03 gitbreaker222

I'm well aware of checksums, even if I didn't think to go track down the kjua upstream.

so we can keep the data-weight as low as possible.

You're misjudging the factors that go into that decision.

  1. When you know the content is guaranteed to be sent compressed like an extension install package, and it's something that's guaranteed to be downloaded once and then retained until it's time to update, like an install package, the benefits of minification are less important.
  2. It's generally good practice to store un-minified content in a source repository for the reasons I stated above. (eg. Making it as easy as possible to see what's changed between two commits in one unified view, rather than having to manually dig up the corresponding commits in the kjua repo or prettify and then diff the minified versions.)
  3. Any argument for minifying kjua also applies to minifying qrcode.js and, if you're minifying qrcode.js, then you can apply the same process to an un-minified copy of kjua while you're at it.

ssokolow avatar Mar 29 '21 16:03 ssokolow

I agree with low benefit of minification in this cases like this, but it also would be generally good practice I guess ^^

On the other hand I think it is rather rare to keep full copies of libraries in the repo, because they are not meant to be edited anyway.

If we set up a build-process to minify qrcode.js, it would make more sense to get kjua from npm and only store the link in package.json. But at this point, it would not comply with "keep it simple, stupid" any more ^^

But I see your point. I also like to check all permissions of apps and add-ons before installing them - that's why I landed here :grin:. Let's see how the owner responds...

P.S.: I didn't mean to teach you about checksum, but I like to explain a bit more in open-source discussions for future readers

gitbreaker222 avatar Mar 29 '21 21:03 gitbreaker222