[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

* Bas Wijnen <wijnen@debian.org> [150902 17:36]:
> > On Wed, 2 Sep 2015 13:33:57 -0400 Marvin Renich <mrvn@renich.org> wrote:
> > > No, "A preferred form" is what upstream uses.  The DFSG does not use
> > > the term "THE preferred form", and I believe that was wise.
> The DFSG doesn't define source at all.  There seems to be consensus (you're the
> only one who doesn't seem to agree) that the definition from the GPL is a good
> one, and that does say "the".

Quoting from [1]:
  The process involves human judgement. The DFSG is an attempt to
  articulate our criteria. But the DFSG is not a contract.

People keep trying to use "the preferred form for modification" as a
rule.  This is wrong.  The rest of the paragraph quoted above should
also be read.

I do strongly believe that "preferred form for modification" is a good
test to apply, but it is not an absolute.  I also believe that sometimes
there is more than one form of source that can satisfy the DFSG.  A
simple example is the .xcf/.png/.ico example I gave in a previous
message.  This is why I disagree with using "THE" (implying only one)
instead of "A" (implying one of many).

> > > There can be multiple "preferred forms" for some software, and all are, in
> > > my opinion, acceptable by the DFSG.  The real question is whether it is
> > > reasonable to expect someone who wishes to modify the software to consider
> > > the form "source".
> I disagree partly.  It is possible to copy a generated file and use that as
> source.  IMO that isn't the case until there have actually been made
> modifications to that file, though.  If an upstream (which doesn't need to be
> the original upstream) actually uses a file to make modifications, an argument
> can be made that this format is source.
> At the same time, we should try to convince upstreams that do such a thing to
> stop it; it causes code duplication and a (security) support nightmare.

I'm not sure how that is relevant to what I said.

> "Someone might think they can make modifications to this file" is much too
> broad; for some modifications a hex editor is good enough.  And in some cases
> that is totally reasonable, such as an executable for which you don't have
> source.  That doesn't make binary exectutables source.

That is not at all what I said.  To paraphrase, using a circular
definition, if I can _reasonably_ _expect_ most other people to agree
that it is source, then that is a very good indication that it is


[1] https://people.debian.org/~bap/dfsg-faq.html#testing

Reply to: