Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Paul Wise <pabs@debian.org>
Date: Thu, 3 Sep 2015 10:53:34 +0200
Message-id: <[🔎] CAKTje6EbwBLUBW3Q29DcBD5TYe99JKKFg2Gu_Wa+E8FF9weLdw@mail.gmail.com>
In-reply-to: <[🔎] 87egiglchy.fsf@hope.eyrie.org>
References: <m36140otnx.fsf@neo.luffy.cx> <[🔎] 87wpwai2ri.fsf@thinkpad.rath.org> <[🔎] 87bndm87gd.fsf@zoro.exoscale.ch> <[🔎] 32027870.eszcDKyeSS@odyx.org> <[🔎] m337yyylr4.fsf@neo.luffy.cx> <[🔎] loom.20150902T134758-207@post.gmane.org> <[🔎] 20150902125911.GD28751@basil.wdw> <[🔎] 1441203126.9215.75.camel@decadent.org.uk> <[🔎] 20150902173357.GF28751@basil.wdw> <[🔎] 20150902193310.318cf37b@sylvester.codehelp> <[🔎] 20150902213538.GC16029@spark.dtdns.net> <[🔎] 87egiglchy.fsf@hope.eyrie.org>

On Wed, Sep 2, 2015 at 11:47 PM, Russ Allbery wrote:

> I think reading "preferred form of modification" from the perspective of
> upstream is a useful standard because it handles some edge cases like
> that, and because it feels ethically consistent with free software
> principles.  The goal is that everyone with a copy of the software should
> be on equal footing.  The person distributing the software should have no
> special access to sources that those receiving the software don't get.

Thanks for pointing out that the ideas behind Free Software, "source"
and "preferred form for modification" basically boil down to equality
of access.

> If *no one* has access to anything better than a binary file, then
> possession of that binary file puts you on an equal footing with everyone
> else in the world, which I think is all that we can reasonably ask.

We can of course strongly suggest upstreams not throw away their
source files and not modify generated files, instead preserving the
most expressive or information rich formats.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Russ Allbery <rra@debian.org>

References:
- Re: Security concerns with minified javascript code
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Didier 'OdyX' Raboud <odyx@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>
- Re: Security concerns with minified javascript code
  - From: Thorsten Glaser <t.glaser@tarent.de>
- Re: Security concerns with minified javascript code
  - From: Marvin Renich <mrvn@renich.org>
- Re: Security concerns with minified javascript code
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: Security concerns with minified javascript code
  - From: Marvin Renich <mrvn@renich.org>
- Re: Security concerns with minified javascript code
  - From: Neil Williams <codehelp@debian.org>
- Re: Security concerns with minified javascript code
  - From: Bas Wijnen <wijnen@debian.org>
- Re: Security concerns with minified javascript code
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: the status of gstreamer1.0-plugins-bad
Next by Date: Bug#797875: ITP: libjs-bootswatch -- themes for Twitter Bootstrap
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread