Hi François-Régis, 2014-03-25 23:34 GMT+01:00 François-Régis <f...@miradou.com>: > I should have said "A pkg-javascript policy could be we don't embed > minified files into orig tarball"
This is correct when Debian packager == upstream maintainer. For most packages, that is not the case. The current policy (we need to have that documented on [0]) is that if the upstream tarball contains minified files, the upstream tarball must be repackaged to exclude these files. The Debian package then uses the repackaged tarball. The current policy is made using the assumption that minified == compiled. For my information: Has this ever clearly and definitively been established? I agree that we shouldn't be redistributing *compiled* software that we can't guarantee hasn't been fiddled with. That is indeed very difficult to do with e.g. a compiled C program. Minified files is a practice in the JavaScript developer community to provider smaller files (mainly for performance reasons), but they remain JavaScript scripts, only harder for a human to read. If you look at the Wikipedia article (obvious mention about possible unreliability applies) about minification [1], it doesn't compare it to compilation (only mention of "compil*" is about the Closure compiler, which is not what we're talking about). To help make this situation clearer, can somebody point us to (1) the exact part of the DFSG or policy that we're using to base our "exclude minified files from orig tarball" policy and (2) where discussions have been led with folks outside of our team (e.g. -devel) about the undistributable character of minified files in upstream tarballs? +Emilien [0] https://wiki.debian.org/Javascript/Policy [1] https://en.wikipedia.org/wiki/Minification_(programming) _______________________________________________ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel