Bug#839570: Browserified javascript and DFSG 2 (reopening)

To: Philip Hands <phil@hands.com>, 839570@bugs.debian.org
Cc: "Joseph R. Justice" <jayarejay@gmail.com>, Sam Hartman <hartmans@debian.org>, Pirate Praveen <praveen@debian.org>
Subject: Bug#839570: Browserified javascript and DFSG 2 (reopening)
From: Adrian Bunk <bunk@stusta.de>
Date: Thu, 6 Oct 2016 17:14:42 +0300
Message-id: <[🔎] 20161006141442.vcbznaua57jq6mec@bunk.spdns.de>
Reply-to: Adrian Bunk <bunk@stusta.de>, 839570@bugs.debian.org
In-reply-to: <[🔎] 87int5u7t7.fsf@whist.hands.com>
References: <[🔎] 679ff854-97ff-d087-9f95-f614792a4325@debian.org> <[🔎] 87d1ji7fhi.fsf@fehawnok.err.no> <[🔎] CAC58tq9WYHN1pPPm7p-MKJ+P_52jmyCn7G7JW9E_9QhiSD-pRA@mail.gmail.com> <[🔎] E3589D5E-3888-4A71-9025-835B97206D6A@debian.org> <[🔎] 87oa31uk2v.fsf@whist.hands.com> <[🔎] CAC58tq8YdEW7FiM22ndrzzsAfspvUrRKL_nJrM9dLxt87x0fug@mail.gmail.com> <[🔎] tsl4m4sp4pi.fsf@mit.edu> <[🔎] CAC58tq86d-wD0F8DOG8zKeMmh8FbY+tJtZTUQGkYRqATGiV5ZQ@mail.gmail.com> <[🔎] 87int5u7t7.fsf@whist.hands.com>

On Thu, Oct 06, 2016 at 11:48:36AM +0200, Philip Hands wrote:
>...
> The security team are going to have to track down every instance of that
> code and fix it.  If the bug is something to do with an interaction
> between the code and the tools used to "browserifiy" the code, that may be
> non-trivial.

For the DFSG it is perfectly fine if a package ships a private 
(potentially modified) copy of the code and only works with this 
specific copy.

And providing 3 years of security support for a huge amount
of JS packages sounds challenging in any case.

I would strongly distinguish between the "what is source code according 
to the DFSG" and "what can the security team support" questions.

The former is a general question that is relevant here,
the latter is a release-specific issue that should be
discussed separately.

>...
> Of course, for that to happen we'd have to start accepting tiny
> javascript packages, which is currently not happening (which also seems
> to be a blocker to grunt being packaged BTW).

https://sources.debian.net/src/node-number-is-nan/1.0.0-1/index.js/

I cannot imagine a package more tiny than this one that was accepted 
last month.

> Cheers, Phil.
>...

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to:

References:
- Bug#839570: Browserified javascript and DFSG 2 (reopening)
  - From: Pirate Praveen <praveen@debian.org>
- Bug#839570: Browserified javascript and DFSG 2 (reopening)
  - From: Tollef Fog Heen <tfheen@err.no>
- Bug#839570: Browserified javascript and DFSG 2 (reopening)
  - From: "Joseph R. Justice" <jayarejay@gmail.com>
- Bug#839570: Browserified javascript and DFSG 2 (reopening)
  - From: Pirate Praveen <praveen@debian.org>
- Bug#839570: Browserified javascript and DFSG 2 (reopening)
  - From: Philip Hands <phil@hands.com>
- Bug#839570: Browserified javascript and DFSG 2 (reopening)
  - From: "Joseph R. Justice" <jayarejay@gmail.com>
- Bug#839570: Browserified javascript and DFSG 2 (reopening)
  - From: Sam Hartman <hartmans@debian.org>
- Bug#839570: Browserified javascript and DFSG 2 (reopening)
  - From: "Joseph R. Justice" <jayarejay@gmail.com>
- Bug#839570: Browserified javascript and DFSG 2 (reopening)
  - From: Philip Hands <phil@hands.com>

Prev by Date: Bug#839570: Browserified javascript and DFSG 2 (reopening)
Next by Date: Re: Bug#839570: Browserified javascript and DFSG 2 (reopening)
Previous by thread: Bug#839570: Browserified javascript and DFSG 2 (reopening)
Next by thread: Bug#839570: Browserified javascript and DFSG 2 (reopening)
Index(es):
- Date
- Thread