severity 1042532 normal
tags 1042532 wontfix
thanks
Hi,
On 7/31/23 07:23, roucaries bastien wrote:
hi,
Le lun. 31 juil. 2023 à 08:27, Kunal Mehta <lego...@debian.org> a écrit :
These are in the preferred form for modification so I don't think
there's any issue here, but please correct me if I'm wrong. MediaWiki
often patches these libraries (e.g. jquery.ui) in this format hence IMO
meeting the "preferred form of the work for making modifications to it"
requirement of the GPL.
No https://sources.debian.org/src/mediawiki/1%3A1.39.4-2/resources/lib/pako/
is webpacked in order to be transformed in es5.... No source available
before webpack
IANAL, but as I understand it, there are two licenses to consider here:
pako's MIT license (aka Expat) and MediaWiki's GPL v2 or later license.
The pako_deflate.es5.js file contains the MIT license
information/attribution, so we're in compliance for that.
MediaWiki's GPL v2 requires source code to be in "preferred form of the
work for making modifications to it". In the context of MediaWiki, this
is in the preferred form, since that's how we plan to (and do) modify
it. If you want to patch MediaWiki, having the pre-transpiled sources is
going to be way more work than the source we're providing right now. And
the proof is that (AFAIK) MediaWiki devs will just patch these sources
directly, they don't go to the upstream sources, adjust those, and then
generate a patch. So I don't see a DFSG issue.
And do not stick to lastest jquery is a security problem. Are you sure
you have closed all the CVE ?
The ones that affect MediaWiki, I believe so. Upstream MediaWiki has at
least one or two jQuery team members as core developers who follow that
not to mention the Wikimedia Foundation's security team.
with my javascript hat, I believe that working with upstream to
improve the testing (using if needed selenium) will improve the
security of mediawiki by using packaged and up to date js
There is already upstream selenium-based testing, but using the latest
version of everything isn't always a feature.
In all the case it decrease the burden from a security point of view
No, it really doesn't, it just shifts it elsewhere. The more deviations
Debian makes, the less we can rely on upstream's QA processes for
ensuring we're shipping working software, which will more likely slow
down security updates. Since bundling is permitted by policy, we plan to
continue doing it.
-- Kunal
