[gipsies]

Or by using a trusted minifier on the source code yourself, as mentioned in the link.

[wereHamster]

You can trust the minifier as much as you want, but it can still have bugs in it. Debian trusts Firefox (Iceweasel), but that doesn't mean it's not full if security holes!

[kpcyrd]

How do you tell your trusted minifier has no exploitable bugs?

[icebraining]

Exploitable by what?

[TheLoneWolfling]

Anyone who has ever pushed a patch to the project that you're running through the minifier.

[icebraining]

What would be the point of exploiting the minifier? The purpose is to get the code to the Debian users, how does exploiting the minifier help with that? If you can put an exploit is the program's source, you just want it to be minified as-is so that it'll run on the end user machines.

[TheLoneWolfling]

Read the linked article: https://zyan.scripts.mit.edu/blog/backdooring-js/

It has the answer to your question. Namely, you can write bugs that are exploitable that aren't present in the original source, that only appear in the minified output. Which means that a) it is a whole lot harder for someone to find (especially if it's something that is "obviously" correct), and b) it's plausibly deniable.

[adrianN]

It might be a lot harder to spot the exploit during review if it only works in conjunction with a minifier bug.

[lukeschlather]

No, you want the minified source to do something different but predictable so that nobody reading the source could spot the backdoor without knowledge of the bug. Here's an example:

https://zyan.scripts.mit.edu/blog/backdooring-js/