Wouter Verhelst <w...@uter.be> writes: > The point is, I'm having a hard time buying the argument that if the > minified javascript was unmodified, and if the non-minified javascript > library is in the archive (or a version of said javascript library > which will function in exactly the same way), that the minified > javascript is suddenly non-free because it does not contain the > non-minified version in the *same* source tarball.
No-one AFAIK is making that argument, so that hopefully sets your mind at ease. > For the very same reason we accept built-using and *- source packages, > I don't see a problem with having a minified javascript library in a > source tarball *as long as the source is in Debian*, somewhere. Agreed, if that can be known with confidence at least as good as the very simple and reliable method of removing the non-source form out of the Debian source package. > The point of freedom is to allow people to make changes, not to have a > pedantically correct version of every bit of source "out there". The point of freedom is more than merely to make changes; it is the freedom to inspect the work and see what it does, it is the freedom to share the work with others in the same freedom as the original. Both those are thwarted by receiving a non-source form of the work, without a verifiable assurance that the claimed source *actually* is the corresponding source for the non-source form they received. > So long as people can make such changes without too much effort (and I > submit that in the case of minified javascript libraries without > non-minified version, they can), I don't see what the problem is. So that I understand your position: You're saying a recipient of Debian who obtains, from the Debian source package, a minified JavaScript file *without* corresponding source, has effective freedom to modify that work? That the freedom to modify the work does not entail that they receive the preferred form of the work for making modifications, in order to make modifications? > [...] > > How can we verify which [non-source JavaScript libraries] are > > verbatim copies [from a work for which we demonstrably have source], > > automatically for every release of the source package? > > If you must, you could take a checksum and build a database of known- > unmodified versions. I'm not convinced that's actually useful, > however. If you must, that could work. That's more complex and less reliable than simply omitting the non-source form of the work. > We are merely guessing and hoping that most of the code in Debian is > actually under the license terms as specified in the debian/copyright > file, too. The difference being that in the case of upstream's claim of copyright grant and license terms, we have little choice, since there is no good way to automatically and independently verify those claims. In the case of non-source forms of a JavaScript library, we clearly have a simple way to be certain: > > How can we verify independently that no such assertion is false? > > I've described a means that is certain and simple: discard the > > non-source form from the source package. > > It is certainly a certain way of doing that, yes. It is also annoying > for the maintainer involved, and should not be necessary. I'd love for it not to be necessary; sadly, until upstream stop bundling non-source forms of a work, the onus for ensuring Debian recipients actually get the corresponding source for what's in Debian falls to us as maintainers. -- \ “The best mind-altering drug is truth.” —Jane Wagner, via Lily | `\ Tomlin | _o__) | Ben Finney -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/8538glenhz....@benfinney.id.au