[Pkg-javascript-devel] JavaScript policy?

Ben Finney ben+debian at benfinney.id.au
Mon Mar 31 04:34:29 UTC 2014 

François-Régis <frv at miradou.com> writes:

> Hi Ben,
>
> Le 31/03/2014 00:03, Ben Finney a écrit :
> > * How do we know – and demonstrate to anyone who asks – the truth of
> >   the assertion that the source is actually the corresponding source
> >   of the exact non-source file?
>
> Before asking how do we know, we should ask do we need to know (and
> this in fact the question of the thread).

You're asserting that there is some set of works received from upstream
where:

* (for example) ‘foo.js’ and ‘foo.min.js’ are distributed together; and

* the Debian maintainer claims ‘foo.js’ in the source package is the
  corresponding source for ‘foo.min.js’ in the source package, thereby
  satisfying the Social Contract requirement to provide the source for
  every work in Debian.

Yes? (If you're not claiming there is such a set of works, then I don't
see the point of discussing what to do about them. So I'll continue on
the assumption that you claim there really *are* some such works to
which the discussion applies.)

In order for the Debian package maintainer to claim that file ‘foo.js’
is the corresponding source for the non-source file ‘foo.min.js’, we
should require that the claim is true about those specific files.

That seems to make it clear that the question quoted above – “how do we
know?” – is prior to the question you're posing – “based on that
knowledge, what should we do?”.

Or are you saying that it's acceptable for a Debian package maintainer
to make a claim about the freedoms of the source package's recipient,
without a sound reason for claiming it?

> >   My answer to this is: Currently, we don't know that at all. We
> >   take upstream's word for it, though upstream frequently has no
> >   incentive to guarantee that to us and can easily make mistakes in
> >   ensuring it.
>
> You're right so we take care to which is pristine upstream and which
> is provided in binary package. And people using debian source packages
> outside debian should take care of it, but can check that upsream
> tarball is the same as debian tarball.

That's an entirely separate question: whether what Debian provides is
the same file as provided by upstream. That question is not at issue.

What is at issue is whether *what upstream provides* is actually
corresponding source for a non-source file. Whether, for example, the
file ‘foo.js’ is the corresponding source for ‘foo.min.js’. The fact
that upstream provided both of them is no help in determining the answer
to that question.

So the provenance of a file, while important for other questions, is of
no help in answering the question at issue here.

> The question here is to accept minified versions of files that have
> sources in orig tarball,

Before that question even makes sense, a necessary prior question is:

*Is it true* the sources for those minified files are actually in the
orig tarball, and *how* does any recipient verifiably know that?

> I just try to have responses to the question I've adressed "Should we
> remove from source tarball minified versions of source files existing
> in tarball". The response may depends on context but please deatails
> which kind of contest.

I hope this makes it clearer.

-- 
 \     “Don't be afraid of missing opportunities. Behind every failure |
  `\         is an opportunity somebody wishes they had missed.” —Jane |
_o__)                                          Wagner, via Lily Tomlin |
Ben Finney

More information about the Pkg-javascript-devel mailing list