Re: is it a DFSG breach or not?

Sat, 24 Jan 2009 12:01:25 -0800 

On Sat, 24 Jan 2009 22:23:33 +0300
"Dmitry E. Oboukhov" <un...@debian.org> wrote:

> I am asked to act as a sponsor of phpunit  [*]  package.   However  there's
> a situation that needs an advice.  There's  JS  in  the  package  that  was
> run through the filter which deletes comments and spaces.  In  fact  it  is
> like Java script passed through obfuscator.

Is this the file:
<script type="text/javascript"
src="http://yui.yahooapis.com/2.6.0/build/yahoo-dom-event/yahoo-dom-event.js";></script>
 
?

If so, it's ugly, yes, but the lack of comments doesn't render the file
as "without source". The variable-name substitution to nearly only
single character names certainly makes maintenance into a problem but
that isn't necessarily non-free either.

Doing a simple s/;/;\n/ produces some 900 lines.
 
> I suggested to  maintainer  to replace this JS by the JS source and use the
> filter (if  it  is  necessary) in  the moment of fulfilling debian/rules.
> 
> However it seems that there's no source of this JS in public access, though
> JS itself is distributed by BSD license.

But what do you mean about source for this Javascript? Do you only mean
the comments or obtaining some kind of idea about what the abbreviated
variable names were originally called? It may well be preferable for
ongoing maintenance (IMHO an important bug) and security implications.

>     JS - is an interpreter language,  _theoretically_  it  is  possible  to
> _restore_ the source, but if following DFSG then in fact the source is  not
> included into archive.  This is a bug of the Serious level  (at  least  for
> Debian/main).
> 
> Am I right? Please help me to make a decision: what is better to do?
> 
> 1. to became a sponsor of the package
> 2. to post Serious bugs to [1] [2] [3] [*] packages
> 3. to move the package to non-free (there's no source)

How can you do [3] without also doing [2] if that is how you view the
problem?

Personally, I'd see what the security team think about this Javascript
and the probable difficulties in fixing any bugs that may appear within
it.

-- 


Neil Williams
=============
http://www.data-freedom.org/
http://www.linux.codehelp.co.uk/
http://e-mail.is-not-s.ms/

Attachment: pgpJWLNKFIS49.pgp
Description: PGP signature

Reply via email to