forums, mailing lists and other tools

Carsten Agger agger at
Thu Jan 18 11:14:12 UTC 2018

On 01/18/2018 11:02 AM, Mirko Boehm wrote:
> Hi,
>> On 18. Jan 2018, at 10:45, Daniel Pocock <daniel at 
>> <mailto:daniel at>> wrote:
>> The real questions:
>> - can you trust a container to be available in the future the same
>> extent that you can trust a package in a stable Linux distribution?
>> - can you trust upstream developers to ensure they never put anything
>> non-free into their container images or does somebody have time to
>> verify the contents of those images on every update?
>> When you take something from an official package, it has usually been
>> looked at by a second set of eyes already.  If you cut that step out
>> then how long is it before non-free stuff creeps in?
> These are real questions. I don’t have any answers for them. To me the 
> issue of JS in web services is separate from them, though.
As a developer, I'd like to chip in on this:

1. There's no problem at all in web applications in JavaScript per se. 
JavaScript is a powerful tool, it's standardized as Mirko said, and of 
course JavaScript programs can give the four freedoms just as well as 
every other programming language. Minified versions (corresponding to 
compiled code) in deployments is also not a problem, since if it's free 
software the source code will also be available for whoever wants it.

Indeed, JavaScript-based web applications are a perfect candidate for 
the Affero GPL, and maybe they *should * be under the Affero GPL as a 
standard recommendation.

2. However, I find containers to be black magic. How can you trust them 
to be 100% free software if you don't build them yourself? I honestly 
don't know if Debian's packaging model is a perfect fit for distributing 
JavaScript, which is, I suppose, why people have come up with npm etc. 
in the first place. A non-broken NPM or a complete bundling of source 
code in releases (i.e., pull in the sources of all dependencies and be 
able to run the source version of all packages in developer mode) would 
be preferrable. Plone, for instance, tends to bundle its JavaScript 
itself and allows you to unbundle and unminify everything when debugging.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Discussion mailing list