On 18/01/18 10:38, Mirko Boehm wrote:
Hello,
On 18. Jan 2018, at 10:28, Daniel Pocock <daniel@pocock.pro mailto:daniel@pocock.pro> wrote:
The client-side Javascript to me is not a relevant issue anymore since JS is an open standard and browsers are sandboxed these days.
There is an issue: a) if the JavaScript is distributed as minified blobs and we can't rebuild it easily from source, b) if a large application makes heavy use of things like the NPM repository for its build process
Accepted. I always assume that software like Discourse is compliant with FOSS licenses, where minified JS code is not “the corresponding source code”. That is usually a choice, though - most packages have a minified and a non-minified source URL. Developers tend to ship with links to the minified version because that is the norm and loads faster. For a Debian packager, this is understandably a problem. We will probably run Discourse out of a container shipped by the project, not a package, so does that still apply to us?
The real questions:
- can you trust a container to be available in the future the same extent that you can trust a package in a stable Linux distribution?
- can you trust upstream developers to ensure they never put anything non-free into their container images or does somebody have time to verify the contents of those images on every update?
When you take something from an official package, it has usually been looked at by a second set of eyes already. If you cut that step out then how long is it before non-free stuff creeps in?
Regards,
Daniel