[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Non-source Javascript files in upstream source

Op woensdag 7 mei 2014 20:14:50 schreef Ben Finney:

> Wouter Verhelst <wouter@debian.org> writes:

> > Op vrijdag 2 mei 2014 15:58:37 schreef Paul Tagliamonte:

> > > If you were to 'update' the image, how would you do it? What things

> > > would you need? Include that. Think about what you'd need when you

> > > fork the project.

> >

> > Does that mean I should include "wget"?


> I'm sure you know this, and I am having difficulty interpreting your

> question in good faith. But in case you actually don't know:


I was speaking with tongue in cheek here. Of course I know.


The point is, I'm having a hard time buying the argument that if the minified _javascript_ was unmodified, and if the non-minified _javascript_ library is in the archive (or a version of said _javascript_ library which will function in exactly the same way), that the minified _javascript_ is suddenly non-free because it does not contain the non-minified version in the *same* source tarball.


The source is there. For the very same reason we accept built-using and *-source packages, I don't see a problem with having a minified _javascript_ library in a source tarball *as long as the source is in Debian*, somewhere.


The point of freedom is to allow people to make changes, not to have a pedantically correct version of every bit of source "out there". So long as people can make such changes without too much effort (and I submit that in the case of minified _javascript_ libraries without non-minified version, they can), I don't see what the problem is.



> > Most minified externally-produced _javascript_ files are just downloaded

> > verbatim off the web.


> How can we verify which ones are verbatim copies, automatically for

> every release of the source package?


If you must, you could take a checksum and build a database of known-unmodified versions. I'm not convinced that's actually useful, however.



> > I agree with the sentiment that we should provide source "in Debian"

> > for everything that's actually useful for our users.


> Do you agree that nobody except the recipient gets to decide what they

> find useful?


> Or would you arrogate to the Debian project the power to deny the fact

> that a recipient may find a Debian source package useful in itself?


> > If a dependency and a symlink exists, however, it's clear that the

> > maintainer meant to say "source is over there".


> The maintainer may intend that to be true. Without independent automated

> verification, we are merely guessing and hoping.


We are merely guessing and hoping that most of the code in Debian is actually under the license terms as specified in the debian/copyright file, too. Yes, with machine-parseable copyright files you can make verifications as to whether the copyright file matches the copyright header in the file. That's still not a proof.


> How can we verify

> independently that no such assertion is false? I've described a means

> that is certain and simple: discard the non-source form from the source

> package.


It is certainly a certain way of doing that, yes. It is also annoying for the maintainer involved, and should not be necessary.



It is easy to love a country that is famous for chocolate and beer


-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26


Reply to: