On Thu, Oct 06, 2016 at 02:23:37PM +0200, Didier 'OdyX' Raboud wrote: >... > All of the above are imperfections (yes, bugs) in how src:firefox handles its > internal sqlite3.c code copy. In an ideal world: > > * src:sqlite3 would provide sqlite3.c in a binary package (sqlite3-static ?) > * src:firefox would build-depend against that package, and get rebuilt on > sqlite3 security uploads > * firefox would use Built-Using pointing at the correct version of src:sqlite3
The reality in unstable is already even better than your ideal world: Firefox does already use the shared SQLite library in unstable. For unstable you could just remove the file from the sources (and for most other affected packages that would just fix it). The main problem is that the security team has given up patching Firefox years ago, and just ships the latest ESR. SQLite in stable and oldstable is too old for recent Firefox, and therefore the amalgamation is used in security updates. >... > As a conclusion, my point is we aren't talking about the same thing: > > * On the src:sqlite3 (in src:firefox) side, we have a giant C file, merely a > concatenation of source files in Debian, using a script available in Debian, > all of which is free software. > > * On the bug that triggered this discussion (#817092 in libjs-handlebars), we > have the "browserified" handlebars-v1.3.0.js [2] which a "transformation" of > source files not in Debian, using tools not in Debian. No non-amalgamation sources for the exact SQLite version used by Firefox in jessie are in jessie. At that point the two cases have strong similarities.[1] > As was pointed by Phil in [3], although the result is JavaScript code, the > transformation is more than "just" concatenation. The original source files > are > not available in Debian, and the tools aren't either. As has already been pointed out, there are several issues mixed in the "browserified javascript" discussion. This is a package with several issues, not a generic example. Does the TC want to be constructive or not? The TC seeme to have doubts whether or not the constitution allows the TC to override decisions by the FTP team on DFSG issues. According to the constitution, the secretary has the power of interpreting the constitution. Has the TC already asked the secretary? If not, why not? If it would turn out that there is nothing short of a GR to override a decision of the FTP team on DFSG issues, I would expect the TC to state explicitely to Pirate Praveen that his only option is a GR. In any case, and clearly within what the TC could do, it would be constructive if the TC could become active itself with gathering a good understanding of the whole problem. No matter whether this gets resolved by FTP team, TC or GR, the biggest obstacle currently is that noone has a proper understanding of the whole problem. > Cheers, > OdyX cu Adrian [1] there could be significant differences somewhere, but my current impression is that the SQLite amalgamation might actually be more problematic than the basic browserified javascript case -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed