forums, mailing lists and other tools

Daniel Pocock daniel at
Thu Jan 18 09:45:19 UTC 2018

On 18/01/18 10:38, Mirko Boehm wrote:
> Hello,
>> On 18. Jan 2018, at 10:28, Daniel Pocock <daniel at
>> <mailto:daniel at>> wrote:
>>> The client-side Javascript to me is not a
>>> relevant issue anymore since JS is an open standard and browsers are
>>> sandboxed these days.
>> There is an issue:
>> a) if the JavaScript is distributed as minified blobs and we can't
>> rebuild it easily from source,
>> b) if a large application makes heavy use of things like the NPM
>> repository for its build process
> Accepted. I always assume that software like Discourse is compliant with
> FOSS licenses, where minified JS code is not “the corresponding source
> code”. That is usually a choice, though - most packages have a minified
> and a non-minified source URL. Developers tend to ship with links to the
> minified version because that is the norm and loads faster. 
> For a Debian packager, this is understandably a problem. We will
> probably run Discourse out of a container shipped by the project, not a
> package, so does that still apply to us?

The real questions:

- can you trust a container to be available in the future the same
extent that you can trust a package in a stable Linux distribution?

- can you trust upstream developers to ensure they never put anything
non-free into their container images or does somebody have time to
verify the contents of those images on every update?

When you take something from an official package, it has usually been
looked at by a second set of eyes already.  If you cut that step out
then how long is it before non-free stuff creeps in?



More information about the Discussion mailing list