Le jeudi, 6 octobre 2016, 14.38:21 h CEST Adrian Bunk a écrit :
> I am not sure whether this has been filed as a bug in any affected 
> package, but src:sqlite3 is not affected.
> The problem is the amalgamation in other packages, for example:
> https://sources.debian.net/src/firefox/49.0-4/db/sqlite3/src/sqlite3.c

This is of course problematic, especially because this source file is copied 
multiple times accross the archive. It should really be under the Security 
Team's radar through
(it apparently isn't)

That said, there _is_ code to reproduce this amalgamation (roughly, a 
concatenation) in Debian main already, see [0] for example.

mksqlite3.tcl as well as all the source files it will bundle in sqlite3.c are 
DFSG-free source, and are available in Debian. Sure, sqlite3.c as embedded in 
firefox 49.0-4 is in version 3.13.0 and that version of src:sqlite3 isn't in 
any Debian suite anymore (we have snapshot.d.o though [1])

All of the above are imperfections (yes, bugs) in how src:firefox handles its 
internal sqlite3.c code copy. In an ideal world:

* src:sqlite3 would provide sqlite3.c in a binary package (sqlite3-static ?)
* src:firefox would build-depend against that package, and get rebuilt on 
sqlite3 security uploads
* firefox would use Built-Using pointing at the correct version of src:sqlite3

Note that the latter mechanism could be used immediately to get dak to 
guarantee the availability of the correct version of src:sqlite3 in mirror's 

As a conclusion, my point is we aren't talking about the same thing:

* On the src:sqlite3 (in src:firefox) side, we have a giant C file, merely a 
concatenation of source files in Debian, using a script available in Debian, 
all of which is free software.
* On the bug that triggered this discussion (#817092 in libjs-handlebars), we 
have the "browserified" handlebars-v1.3.0.js [2] which a "transformation" of 
source files not in Debian, using tools not in Debian. 

As was pointed by Phil in [3], although the result is JavaScript code, the 
transformation is more than "just" concatenation. The original source files are 
not available in Debian, and the tools aren't either.


[0] http://sources.debian.net/src/sqlite3/3.14.2-1/tool/mksqlite3c.tcl
[1] http://snapshot.debian.org/package/sqlite3/3.13.0-1/
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830978#90

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to