On Aug 3, 2013 8:55 PM, "T.C. Hollingsworth" <tchollingswo...@gmail.com> wrote: > > On Tue, Jul 30, 2013 at 5:48 AM, Robert Marcano > <rob...@marcanoonline.com> wrote: > > On 07/26/2013 12:30 PM, Nicolas Mailhot wrote: > >> Le Lun 22 juillet 2013 21:58, Robert Marcano a écrit : > >> > >>> The real problem with publishing things is that if I distribute binaries > >>> of many things I must follow the license, some say I need to distribute > >>> sources, some say that I need to distribute a copy of the license, etc. > >>> Making files downloadable by default adds to the distributor more work > >>> (legal) because they must comply with their licenses. So if I put an > >>> open service of an Apache licensed web application, I will start > >>> distributing fonts with other licenses without ever noticing, for > >>> example GPL+3 (nothing against any license, only examples of the things > >>> people should care when distributing free/open licensed code/assets) > >> > >> > >> Again, the fonts available in Fedora are carefully vetted and none of them > >> have redistribution restrictions (and even for those with GPLish licenses > >> a large part of the font community considers the font file is the font > >> source, so you can't redistribute one without the other) > >> > >> I understand your point but please take another example. > >> > > > > There isn't another example, with the exception of Javascript code that is > > planned to be made available too. I don't consider that the distribution > > must make the decision to make me a distributor of assets I am not using on > > one of the web applications I decided to publish on my webserver, those web > > applications must make available those assets and only those assets. > > You make the decision by installing a js-foo package, just like you > make the decision to provide a web application by installing a package > for it. >
Do you know there are GNOME JavaScript applications? And that JavaScript is being encouraged as a language for desktop applications? So all those libraries that can be used on desktop and web clients will be shared by default if I install a desktop application that need that library and a web application that never uses that library? This is madness, why not share /usr/bin via NFS too by default This is a licensing problem. I should not need to disable it, because I think Fedora should not share code/assets only because I installed it, the we application need to share it if it is really needed. I think I a being repetitive here NAD nobody understand my point of view :-( probably I should ask on fedora-legal, I don't like where this is going, making me a distributor by default of every JavaScript package installed even if no web application needs them > Also, it's just a default. Disabling it will be easy; just truncate > the relevant config file: > echo > /etc/httpd/conf.d/web-assets.conf > > > To > > force me to blacklist is wrong. Javascript code is worse in this aspect > > because it can be used as an attack vector, finding vulnerabilities that > > allow someone to inject Javascript code from the same server > > There is nothing like CORS protections for <script> tags. (In fact, > they are commonly used to evade them, i.e. JSONP.) If an attacker can > force your application to load code from your server they can just as > easily pull it from a public CDN or a server under their control. > Even disabling all external script loading wouldn't help you, since > they could just use eval(). > > -T.C. > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
