Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Marvin Renich <mrvn@renich.org>
Date: Wed, 2 Sep 2015 13:14:31 -0400
Message-id: <[🔎] 20150902171431.GE28751@basil.wdw>
In-reply-to: <[🔎] 20150902152105.5860c53c@sylvester.codehelp>
References: <m36140otnx.fsf@neo.luffy.cx> <[🔎] 87wpwai2ri.fsf@thinkpad.rath.org> <[🔎] 87bndm87gd.fsf@zoro.exoscale.ch> <[🔎] 32027870.eszcDKyeSS@odyx.org> <[🔎] m337yyylr4.fsf@neo.luffy.cx> <[🔎] loom.20150902T134758-207@post.gmane.org> <[🔎] 20150902125911.GD28751@basil.wdw> <[🔎] 20150902152105.5860c53c@sylvester.codehelp>

* Neil Williams <codehelp@debian.org> [150902 10:22]:
> Upstream is another recipient of code distributed under copyleft.
> Having changes in a format which upstream can use is absolutely a
> sensible and sane criterion for what is regarded as the form of the
> code for modification. To do otherwise is to make the maintenance
> burden untenable.
> 
> Every recipient needs to get the source code and the maintainer changes
> in a format which is suitable for modification and that includes
> the work of modification required to incorporate those changes into the
> next upstream release. To rule out upstream requirements is nonsense.

The whole point of this discussion is what does Debian require of
upstream for upstream to get its software distributed in Debian main.
It is presumed that upstream already has what it considers "source"; in
the case of this thread, that is minified JS.

My point is that if what upstream considers to be "source" is not
acceptable to Debian, and the Debian packager has to grab real source
from other places and use a build process that is different from what
upstream uses in order to make the Debian package satisfy the DFSG, then
upstream's wishes are not relevant to whether the Debian package
conforms to the DFSG.

Furthermore, if the Debian packager does not like upstream's arrangement
of source, even if it would satisfy the DFSG, and wishes to rearrange
it, whether or not the packager's arrangement satisfies the DFSG's
meaning of source should be judged on its own merit, not on whether
upstream is willing to accept patches based on the Debian packager's
arrangement.

I am _not_ saying this this is necessarily a good decision.  The
distinction is between the DFSG, which is one part of the Debian Social
Contract, and the whole DSC.  DSC point 2 requires that the Debian
maintainer give back to upstream.  But that has nothing to do with what
satisfies the DSFG definition of source.

My argument is not that Debian should not use a form that upstream
likes, but that the definition of "source" for purposes of the DFSG is
independent of upstream's definition of source.  If both source forms A
and B satisfy the DFSG, and upstream uses form A, that does not make
form B fail to satisfy the DFSG, even for Debian packages of upstream's
software.

...Marvin

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Neil Williams <codehelp@debian.org>

References:
- Re: Security concerns with minified javascript code
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Didier 'OdyX' Raboud <odyx@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Thorsten Glaser <t.glaser@tarent.de>
- Re: Security concerns with minified javascript code
  - From: Marvin Renich <mrvn@renich.org>
- Re: Security concerns with minified javascript code
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: Re: Strange units in systemd graphical.target
Next by Date: Bug#797803: ITP: libcsp -- The Cubesat Space Protocol Library
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread