[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Browserified files and DFSG

Pirate Praveen <praveen@onenetbeyond.org> writes:

> On Monday 11 July 2016 01:09 PM, Ben Finney wrote:
>> Yet it is built with a tool not in Debian, from a different form of the
>> work that upstream actually uses for reading and modifying — the source
>> form of the work. So that compiled form is not the source form of the
>> work.
> There is a reason for that requirement, it is not like a bible or Quran
> or another holy book where we have to follow word by word without
> questioning.
> For me, the reason is to be able to modify the code and with readable
> javascript file that is possible.
> Yes, to be able to send patches, you will have to change different files
> (just rearranged), but is that enough reason to remove the package?
> And why is the people who are so strict about packaging the build tool
> not stepping up to package it? FRP for node-grunt was filed in 21 May
> 2012 and it is still not complete. So removing these packages until
> grunt is packaged makes debian better?

They should be in contrib.

Allowing them in main removes any incentive to do the work to fix this
problem, which I'd imagine is the reason it's not been done.

When this was last raised, I looked into it and concluded that grunt is
a tangled mess.

It strikes me that it might be a more tractable problem if one either
aimed to package a cut-down version of grunt, or to write a tool that
focuses on the features that are actually needed to do the concatenation
in easier cases.

That would then allow a distinction to be drawn between the packages
that use grunt in a simple manner, and are thus packageable in main, and
those that do not.  This would make it much more likely that either our
tools would then be incrementally enhanced, or upstreams would be
persuaded to restrict themselves to a more sane subset of grunt's

Simply letting them into main removes that pressure, it also means that
we're deceiving our users, since they expect buildable source for all
packages in main.

You seem to think this is a trivial matter, but if there's a bug in one
of the underlying (pre-concatenation) source files, the security team
then needs to backport the fix to stable.  By allowing this sort of
thing into main we saddle the security team with the job of hunting down
the buggy code in each of these concatenated files, and then attempting
to determine whether grunt has done anything subtle in each case.

Cheers, Phil.
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY

Attachment: signature.asc
Description: PGP signature

Reply to: