On 01/18/2018 11:02 AM, Mirko Boehm wrote:
Hi, 

On 18. Jan 2018, at 10:45, Daniel Pocock <daniel@pocock.pro> wrote:

The real questions:

- can you trust a container to be available in the future the same
extent that you can trust a package in a stable Linux distribution?

- can you trust upstream developers to ensure they never put anything
non-free into their container images or does somebody have time to
verify the contents of those images on every update?

When you take something from an official package, it has usually been
looked at by a second set of eyes already.  If you cut that step out
then how long is it before non-free stuff creeps in?

These are real questions. I don’t have any answers for them. To me the issue of JS in web services is separate from them, though.

As a developer, I'd like to chip in on this:

1. There's no problem at all in web applications in JavaScript per se. JavaScript is a powerful tool, it's standardized as Mirko said, and of course JavaScript programs can give the four freedoms just as well as every other programming language. Minified versions (corresponding to compiled code) in deployments is also not a problem, since if it's free software the source code will also be available for whoever wants it.

Indeed, JavaScript-based web applications are a perfect candidate for the Affero GPL, and maybe they *should * be under the Affero GPL as a standard recommendation.

2. However, I find containers to be black magic. How can you trust them to be 100% free software if you don't build them yourself? I honestly don't know if Debian's packaging model is a perfect fit for distributing JavaScript, which is, I suppose, why people have come up with npm etc. in the first place. A non-broken NPM or a complete bundling of source code in releases (i.e., pull in the sources of all dependencies and be able to run the source version of all packages in developer mode) would be preferrable. Plone, for instance, tends to bundle its JavaScript itself and allows you to unbundle and unminify everything when debugging.

Best
Carsten