Bug#839570: Browserified javascript and DFSG 2 (reopening)
On Thu, Oct 06, 2016 at 11:48:36AM +0200, Philip Hands wrote:
>...
> The security team are going to have to track down every instance of that
> code and fix it. If the bug is something to do with an interaction
> between the code and the tools used to "browserifiy" the code, that may be
> non-trivial.
For the DFSG it is perfectly fine if a package ships a private
(potentially modified) copy of the code and only works with this
specific copy.
And providing 3 years of security support for a huge amount
of JS packages sounds challenging in any case.
I would strongly distinguish between the "what is source code according
to the DFSG" and "what can the security team support" questions.
The former is a general question that is relevant here,
the latter is a release-specific issue that should be
discussed separately.
>...
> Of course, for that to happen we'd have to start accepting tiny
> javascript packages, which is currently not happening (which also seems
> to be a blocker to grunt being packaged BTW).
https://sources.debian.net/src/node-number-is-nan/1.0.0-1/index.js/
I cannot imagine a package more tiny than this one that was accepted
last month.
> Cheers, Phil.
>...
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
Reply to: