Le jeudi, 6 octobre 2016, 14.38:21 h CEST Adrian Bunk a écrit :
> I am not sure whether this has been filed as a bug in any affected
> package, but src:sqlite3 is not affected.
>
> The problem is the amalgamation in other packages, for example:
> https://sources.debian.net/src/firefox/49.0-4/db/sqlite3/src/sqlite3.c
This is of course problematic, especially because this source file is copied
multiple times accross the archive. It should really be under the Security
Team's radar through
https://wiki.debian.org/EmbeddedCodeCopies
(it apparently isn't)
That said, there _is_ code to reproduce this amalgamation (roughly, a
concatenation) in Debian main already, see [0] for example.
mksqlite3.tcl as well as all the source files it will bundle in sqlite3.c are
DFSG-free source, and are available in Debian. Sure, sqlite3.c as embedded in
firefox 49.0-4 is in version 3.13.0 and that version of src:sqlite3 isn't in
any Debian suite anymore (we have snapshot.d.o though [1])
All of the above are imperfections (yes, bugs) in how src:firefox handles its
internal sqlite3.c code copy. In an ideal world:
* src:sqlite3 would provide sqlite3.c in a binary package (sqlite3-static ?)
* src:firefox would build-depend against that package, and get rebuilt on
sqlite3 security uploads
* firefox would use Built-Using pointing at the correct version of src:sqlite3
Note that the latter mechanism could be used immediately to get dak to
guarantee the availability of the correct version of src:sqlite3 in mirror's
pool.
As a conclusion, my point is we aren't talking about the same thing:
* On the src:sqlite3 (in src:firefox) side, we have a giant C file, merely a
concatenation of source files in Debian, using a script available in Debian,
all of which is free software.
* On the bug that triggered this discussion (#817092 in libjs-handlebars), we
have the "browserified" handlebars-v1.3.0.js [2] which a "transformation" of
source files not in Debian, using tools not in Debian.
As was pointed by Phil in [3], although the result is JavaScript code, the
transformation is more than "just" concatenation. The original source files are
not available in Debian, and the tools aren't either.
--
Cheers,
OdyX
[0] http://sources.debian.net/src/sqlite3/3.14.2-1/tool/mksqlite3c.tcl
[1] http://snapshot.debian.org/package/sqlite3/3.13.0-1/
[2] https://sources.debian.net/src/libjs-handlebars/1.3.0-1/handlebars-v1.3.0.js/
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830978#90Attachment:
signature.asc
Description: This is a digitally signed message part.