[17:14:27] <tgr> Reedy: I thought the plan was to use npm to fetch the source but commit it to the patch and use ResourceLoader or webpack to minify it locally? [17:15:28] <tgr> I'd hope Security vetoes everything that does not snapshot the source
This somewhat goes along with the reproducible build idea - https://wiki.debian.org/ReproducibleBuilds/About and https://reproducible-builds.org/ . If I have the source files, I should be able to make the same minified file as the original author did who added the minified file (or, that version of) to the git repo. Ideally, CI would do these steps to confirm