Re: Non-source Javascript files in upstream source
Wouter Verhelst <w@uter.be> writes:
> The point is, I'm having a hard time buying the argument that if the
> minified javascript was unmodified, and if the non-minified javascript
> library is in the archive (or a version of said javascript library
> which will function in exactly the same way), that the minified
> javascript is suddenly non-free because it does not contain the
> non-minified version in the *same* source tarball.
No-one AFAIK is making that argument, so that hopefully sets your mind
at ease.
> For the very same reason we accept built-using and *- source packages,
> I don't see a problem with having a minified javascript library in a
> source tarball *as long as the source is in Debian*, somewhere.
Agreed, if that can be known with confidence at least as good as the
very simple and reliable method of removing the non-source form out of
the Debian source package.
> The point of freedom is to allow people to make changes, not to have a
> pedantically correct version of every bit of source "out there".
The point of freedom is more than merely to make changes; it is the
freedom to inspect the work and see what it does, it is the freedom to
share the work with others in the same freedom as the original.
Both those are thwarted by receiving a non-source form of the work,
without a verifiable assurance that the claimed source *actually* is the
corresponding source for the non-source form they received.
> So long as people can make such changes without too much effort (and I
> submit that in the case of minified javascript libraries without
> non-minified version, they can), I don't see what the problem is.
So that I understand your position: You're saying a recipient of Debian
who obtains, from the Debian source package, a minified JavaScript file
*without* corresponding source, has effective freedom to modify that
work?
That the freedom to modify the work does not entail that they receive
the preferred form of the work for making modifications, in order to
make modifications?
> [...]
> > How can we verify which [non-source JavaScript libraries] are
> > verbatim copies [from a work for which we demonstrably have source],
> > automatically for every release of the source package?
>
> If you must, you could take a checksum and build a database of known-
> unmodified versions. I'm not convinced that's actually useful,
> however.
If you must, that could work. That's more complex and less reliable than
simply omitting the non-source form of the work.
> We are merely guessing and hoping that most of the code in Debian is
> actually under the license terms as specified in the debian/copyright
> file, too.
The difference being that in the case of upstream's claim of copyright
grant and license terms, we have little choice, since there is no good
way to automatically and independently verify those claims.
In the case of non-source forms of a JavaScript library, we clearly have
a simple way to be certain:
> > How can we verify independently that no such assertion is false?
> > I've described a means that is certain and simple: discard the
> > non-source form from the source package.
>
> It is certainly a certain way of doing that, yes. It is also annoying
> for the maintainer involved, and should not be necessary.
I'd love for it not to be necessary; sadly, until upstream stop bundling
non-source forms of a work, the onus for ensuring Debian recipients
actually get the corresponding source for what's in Debian falls to us
as maintainers.
--
\ “The best mind-altering drug is truth.” —Jane Wagner, via Lily |
`\ Tomlin |
_o__) |
Ben Finney
Reply to: