| ▲ | g-b-r 2 hours ago | ||||||||||||||||
If you distribute generated artifacts you're not really distributing the source (and thus xz can happen) Even for documentation, you'd think it would be harmless to generate it, but it's far from a given that the tools (e.g. browsers) used to read it are safe from malicious documentation files | |||||||||||||||||
| ▲ | cygx an hour ago | parent [-] | ||||||||||||||||
it's far from a given that the tools (e.g. browsers) used to read it are safe from malicious documentation files Generated HTML files are potentially easier to audit than the scripts/toolchains used to generate them on an end user's machine if you do not pre-generate them. Off the top of my head, other things I've done is committing RELAX NG *.rnc files, but shipping *.rng files, or generating C header files for various types of data (think `xxd -i` in case of binary files, but also just large chunks of plain text that gets wrapped into a C string). | |||||||||||||||||
| |||||||||||||||||