Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Marvin Renich <mrvn@renich.org>
Date: Mon, 31 Aug 2015 11:21:55 -0400
Message-id: <[🔎] 20150831152154.GA28751@basil.wdw>
In-reply-to: <[🔎] 20150830115237.GR16029@spark.dtdns.net>
References: <[🔎] 20150825171712.2038.86835@auryn.jones.dk> <[🔎] 20150825175820.GF16029@spark.dtdns.net> <[🔎] 87y4gzm5qs.fsf@zoro.exoscale.ch> <[🔎] 20150825223741.GH16029@spark.dtdns.net> <[🔎] 87d1yamx2y.fsf@zoro.exoscale.ch> <[🔎] 20150827220443.GJ16029@spark.dtdns.net> <[🔎] m36140otnx.fsf@neo.luffy.cx> <[🔎] 20150830021249.GA9269@virgil.dodds.net> <[🔎] m3a8t942i2.fsf@neo.luffy.cx> <[🔎] 20150830115237.GR16029@spark.dtdns.net>

First, let me make it clear that I am firmly in the camp that believes
minified JS cannot be distributed in main unless the tools to recreate
it are also in main.  It bothers me that there appears to be a
not-insignificant number of people with upload rights who do not believe
this.

This message is not about that, though.

* Bas Wijnen <wijnen@debian.org> [150830 07:53]:
> On Sun, Aug 30, 2015 at 10:14:13AM +0200, Vincent Bernat wrote:
> > Is that the preferred form of modification? It depends, but from the
> > jQuery author point of view, it isn't:
> 
> Then it isn't.

I take exception to this.  A number of discussions about "preferred form
for modification" have taken place over the years, and one of the
opinions often set forth is that there is only one "preferred form" for
any given source.  The fact is that different developers have different
preferences.

The fact that the original developer of some software used gimp to
create a simple icon does not mean that the gimp .xcf file must be
considered the preferred form for modification.  Both .png and .ico can
be modified just as easily; in fact there are many more tools in Debian
that can edit those formats than .xcf files.

The basic purpose of the phrase "preferred form for modification" is to
ensure that the right to modify the software is not hindered by only
having an obfuscated version of the source.  I would like to say "any
form of the source that can easily be modified should be allowed," but I
am not sure that I can go quite that far without any qualifications.

Also note that the phrase "preferred form of the work for making
modifications to it" comes from the GPL, not from the DFSG.

> > However, this is a readable source code that will accomodate any
> > modification that a end user will deem necessary.

I intentionally did not look at the file referred to above, and have no
idea whether I would consider it to be a "preferred form" or not.  I
merely wanted to debunk the "original author's preferred form is the
only form that can be considered preferred" statement.

...Marvin

Reply to:

References:
- Re: Security concerns with minified javascript code
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Steve Langasek <vorlon@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>

Prev by Date: Re: Security concerns with minified javascript code
Next by Date: Re: system upgrade by systemd
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread