Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Bas Wijnen <wijnen@debian.org>
Date: Thu, 3 Sep 2015 17:22:50 +0000
Message-id: <[🔎] 20150903172250.GD16029@spark.dtdns.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] m3r3mgvw28.fsf@neo.luffy.cx>
References: <[🔎] 20150902004630.GA16895@x> <[🔎] 1519421.7sFB6OhUaQ@deblab> <[🔎] m3r3mgvw28.fsf@neo.luffy.cx>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Sep 03, 2015 at 08:47:11AM +0200, Vincent Bernat wrote:
> Without minification, we'll just ship packages that people won't
> use. Why would I run a crippled installation of Wordpress that will
> drive of part of my users to another competitor?

Because you know you have the right and the ability to be a part of the free
software community that created the software.  That is why you are running
Debian and don't have contrib or non-free in your sources.list.

- From your mails it is clear that you don't care much about that.  That is fine.
I recommend that you do put contrib and non-free in your sources.list.  You'll
get all the non-crippled programs that we ship, but there's no guarantee that
you will be able to get the source, or compile it if you can get it.

To keep all our users happy, not just the ones who want contrib and non-free
enabled, please put things that people like me don't want to see in there, not
in main.  (Of course, fixing the problem is even better, but if you're not
willing to do that work, then at least don't put the software in main.)

> We don't turn C into an interpreted language because it would be easier
> to inspect the resulting binaries.

We do remove non-free content (or things that need non-main content) from
upstream sources and I'm sure some people consider that crippling as well.
There are two options: they are the maintainer and really like the stuff: they
can package it for contrib or non-free.  They are not: they can go use a
distribution that doesn't care as much about freedom as Debian does.

There is also a non-option: they break the rules we have set up for main, with
the excuse that otherwise our users would be unhappy.  That is what you
suggest.  We don't do that.  People who don't like our rules shouldn't be using
Debian.

Thanks,
Bas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJV6IHpAAoJEJzRfVgHwHE6zHoP/38VNuzOKVDbCeZCpvOBItJh
EFCTkNBxQTBCmTrj7JArMYN1CKUVkkb+qKMLex2xxjfPIdydTeT+bOYHIBIWBNHm
a2ZNEN+0zg5cxte3D8m54YYFBfbaKuFPE9/jqkSWkWAIBjt9p84G663q5S8o6P4X
dqwLTvOjVgPc0BZ6j6Bo7s8BQiFW/UBIyMgsN32HlLhRyYOG7TErkOwdSmFqq6tw
GZEh9GMvRAw/3yTPVoZsJ9RyWKP5TpTRuGZe69CAaTmWDRtuq33O4JSzhmW+hdd7
T8jSAhrhpVe92AGo8qZodF/WLU61J4LbpLg42r9xhmKVu/OkrC7NdHhKK6ypwh6O
MNgxh4jf4MUMysCBuL2F2Fb1kcHb5ezvNq71IzeOIU0ry3EHDSnUlJQGbdwhiqrr
9xTEGeGsSgmUqKR2/twZx6+lk59/sto9WyEpZ21wdKk8zRU+cXaJZC4VREHYky0i
YDORHnt3yYBJnu+C5eYlgNZbXUObOrB2CedjVeLcBIGP9sHwAvOY2A/ZPs1SrseO
y8zc163CjXaZ7ETjcoTT6DGlbT1FUmHwsmOrt34ODERl+GZPX6GbrbiPdBklPsxS
/XTZk61I8SS2c25Bt1QOI+aG/70KKhGqTkY3qd/pT+w7EGEWeE6FqnKAzM/+X1hw
t6yOkF8zT3TQIIfe+918
=JSxd
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>

References:
- Re: Security concerns with minified javascript code
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: Security concerns with minified javascript code
  - From: Dmitry Smirnov <onlyjob@debian.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>

Prev by Date: Re: Security concerns with minified javascript code
Next by Date: Re: Security concerns with minified javascript code
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread