[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

On Wed, 2 Sep 2015 08:59:11 -0400
Marvin Renich <mrvn@renich.org> wrote:

> * Thorsten Glaser <t.glaser@tarent.de> [150902 07:50]:
> > There is (I just had an epiphany) another possible criterium to
> > apply for to determine what the preferred form of modification is:
>                                            ^ for
>   [Okay, so I'm being pedantic, but this is a common mistake.]
> > Does upstream accept patches for that form?
> I thoroughly and whole-heartedly disagree with this criterion.  As I
> stated in an earlier message, the purpose of the source requirement in
> the DFSG (and GPL, etc.) is not to protect the rights of the persons
> distributing software, but those receiving the software.  There is no
> requirement that changes to the software be returned to upstream;
> such a requirement would violate the dissident and desert island
> tests¹.

DFSG tests aside, there is copyleft. So where the recipient does
distribute their changes and the code is under a copyleft licence, it
is not just the next recipient who can benefit but also upstream.

There is little point meeting only DFSG requirements if the changes
have to be manually ported from one upstream release to the next simply
because the changes are made using a form which is not used by
upstream. Even without copyleft, the maintainer still has a clear
interest in getting those changes applied upstream or there's little
point in thinking of the software as free - we could easily be accused
of "hoarding" the changes in a way that works against other
distributions by "cutting out the upstream". That is actively unhelpful. 

> The source requirement is so that the recipient can make changes if
> desired, and if the changes are redistributed (not passed back to
> upstream), the second-level recipient may also make changes.
> Any test of preferred form for modification must be in terms of how
> the recipient is able to use it, not how the distributor would like
> it.

Upstream is another recipient of code distributed under copyleft.
Having changes in a format which upstream can use is absolutely a
sensible and sane criterion for what is regarded as the form of the
code for modification. To do otherwise is to make the maintenance
burden untenable.

Every recipient needs to get the source code and the maintainer changes
in a format which is suitable for modification and that includes
the work of modification required to incorporate those changes into the
next upstream release. To rule out upstream requirements is nonsense.


Neil Williams

Attachment: pgpI09BDqJrSa.pgp
Description: OpenPGP digital signature

Reply to: