Re: Security concerns with minified javascript code
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Aug 31, 2015 at 08:49:53AM +0200, Raphael Hertzog wrote:
> On Sun, 30 Aug 2015, Bas Wijnen wrote:
> > Why do you care that software is in main, if you evidently do not care about
> > any of the rules we have for it?
>
> I don't think that implying that Vincent doesn't not care about Free
> Software is very constructive.
I agree, and if my mail sounded like I was pissed off, that would be correct.
He waves off every criticism that what he's doing is wrong, implying he doesn't
care. His position seems to be "I have my own definition of what free software
is, and I'll apply that to decide whether software can go into main or not".
That greatly bothers me, because our rules for what software goes into main are
probably the biggest feature of the distribution to me. His attitude (ignoring
those rules) harms that feature.
I tried to convince him normally first, trying to get him to see why what he
does is wrong. However, the main question is the one I asked in the text you
quoted from me, it has been asked several times, but never been answered.
> If all the energy spent in this thread would have been spent in improving
> our javascript ecosystem, it would have been better.
If we have people maintaining our packages with the attitude displayed here,
some outsiders trying to patch things for them is not going to help much. For
all I can see, he'd not even accept the patches because he doesn't consider any
of this a problem.
I agree that working on code is good, but I disagree that talking about
philosophy is wasted time.
> I understand both sides of this discussion and it's a hard problem.
I do understand that packaging minified JS code is hard. I also understand
that a maintainer may give up on doing it right. I do not understand that when
that happens, they still insist the package can be in main.
> I certainly do not want to move wordpress or publican to contrib because
> some of the javascript libraries that it uses can't be rebuilt from main.
In that case, my question applies to you as well: why do you care for it to be
in main, if you are unwilling to follow the rules we have set up for it?
> Do you see now how you question is not constructive? The javascript bits
> are free software
Which require a compiler that is not in main to build. That is the definition
of what contrib is for. Why shouldn't it go in there?
> and are often a small part of a bigger project that is free software.
If they were separately packaged, they'd need to be in contrib. The bigger
software, having a Depends on that package, would then also need to be in
contrib. There is no "unless it's only a little" exception to our requirement
that things must have their compiler in main.
> As long as we provide the non-minified javascript files along with all
> the embedded copies that we have, we are respecting our social contract.
I'll give you that the SC isn't very clear on requiring compilers to be in
main, but policy is (for programs anyway, and javascript certainly is a
program) and I didn't think there was any real discussion about it, really.
Are you arguing that having tools to go from source to binary available in main
should not be a requirement for a package to be in main?
> But now I'd like that people stop to give lessons to their fellow DD who
> are actively trying to package parts of the javascript world.
If people have good intentions (and don't get me wrong, I believe everyone
involved does have good intentions), that doesn't mean I automatically have to
agree that their course of action is acceptable. And if I feel that what they
do harms Debian, I think it isn't just my right, but it is my duty to say
something about it. To me, the SC doesn't just mean that my packages will
follow the rules, but also that I will attempt to fix problems that aren't in
my packages (as time permits, of course). In this case, the main problem that
needs fixing seems to be the interpretation of our rules. That's a social
problem, which needs to be fixed by talking.
On Mon, Aug 31, 2015 at 11:21:55AM -0400, Marvin Renich wrote:
> * Bas Wijnen <wijnen@debian.org> [150830 07:53]:
> > On Sun, Aug 30, 2015 at 10:14:13AM +0200, Vincent Bernat wrote:
> > > Is that the preferred form of modification? It depends, but from the
> > > jQuery author point of view, it isn't:
> >
> > Then it isn't.
>
> I take exception to this.
I agree with your point. What I meant to say is that what upstream actually
uses for modifying the work is what we should use as source. That may change
if upstream changes, and it may not be a clear definition anyway if upstream
consists of multiple people and they have different ideas about it. But most
of the time this is very clear; if you send a patch and they say "that's not
the file I use for editing", then it's not the source.
> Also note that the phrase "preferred form of the work for making
> modifications to it" comes from the GPL, not from the DFSG.
True, but we don't have a definition ourselves, and there seems to be consensus
that this is a good one.
Thanks,
Bas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJV5Ln4AAoJEJzRfVgHwHE6d+QP/A8LEKm0nLrnmcQrA0dec6mT
NEG0QNaKa9pImUBmNzsLas4RDiwl1IWiVjDKSnfuhFXElda/0dqthGss7SfVGvzI
Wc713umRFMrfo+XGxqkDVBIT2534NoMjcrOeSLDz4HB+QKyp1Yq7Z3HS/8PdTrTc
Mm9E1oa2/g9sVCljOGXGXZy4wnc+wypDPiGBsdLLLgKIMXI0+ZkwuyMlDybF7Y70
qHWAtcdNJyhAvdCV4FTVWqnAEoia7LXWn86XkjcpxIjU53AaX3t6hjXo0weXnvw0
u7cLq9WhQVVYevuV3US6qO8l7wrkpIcAYc875TrylRe2K8qckkWmGqcjloLQGm4y
v283AA3unxtdcb/VuQvDspKFoAL/OQF18CSoEnI73/OxJonp5m959Qyw2o2Ox8Cw
dfyF0+XdN4rNPo5NR1/iZ4M54uOV7cnlJiq9h19JaXhC5UN7GYTQnPhuekggjPh1
GEXQEOhUG4DSIvl5KURMWAAe2TTcLtetALVbXWyx27AALSWUSCT28e8YJdFcx/Xp
xjzv8JyyTQtEy4wwaopbsYcO0dAW4GllF2pCSwC4dfpkf28I6ngUbxA1NdBkKNAU
zKg1zUVoQazfEUWBz9JBpAHJckyDaK0h4d99LHiGmewEPuoPhI5OQGW8HxLHYBhK
8uj+QXzI/L85+qDgu7i8
=B19p
-----END PGP SIGNATURE-----
Reply to: