[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

The below is very much a tangent from the minified Javascript case, and
not applicable to that case.

Bas Wijnen <wijnen@debian.org> writes:

> Here's a rule to limit the selection a bit: a file is certainly not
> source if it was originally generated from a different file, and has not
> been modified.

This makes files for which the source has been irrevocably lost
non-DFSG-free.  I don't think that's a good feature, nor is that the
standard that ftpmaster has used in the past for the archive.

Admittedly, that's something of an edge case, but I've uploaded PostScript
files with that property in one package in the past because they were
still the best available documentation for part of a software package (and
called this out in debian/copyright, and had the package approved by
ftpmaster).  An extensive search had been done for the original source
(which was originally in an internal IBM documentation generation system),
and everyone including IBM was pretty sure that the source was gone
forever and will never be found.

I think reading "preferred form of modification" from the perspective of
upstream is a useful standard because it handles some edge cases like
that, and because it feels ethically consistent with free software
principles.  The goal is that everyone with a copy of the software should
be on equal footing.  The person distributing the software should have no
special access to sources that those receiving the software don't get.

If *no one* has access to anything better than a binary file, then
possession of that binary file puts you on an equal footing with everyone
else in the world, which I think is all that we can reasonably ask.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: