Distributions [LWN.net]

Browserified JavaScript in Debian

By Jake Edge
October 19, 2016

A disagreement about the status of certain arguably non-free JavaScript components and their inclusion into the "main" Debian archives (as opposed to "contrib" or "non-free") is interesting in its own right, but it also raises some governance questions for the distribution. Debian is known for its strict adherence to the Debian Free Software Guidelines (DFSG), so it won't be a surprise that the question about the JavaScript components revolves around their fitness under those guidelines. The other piece, though, goes even deeper, perhaps, as it centers on the role and powers of the Technical Committee (TC) as laid out in the Debian Constitution.

JavaScript is increasingly used in a variety of different projects and there is often some kind of processing done on the raw JavaScript code for various purposes. "Minified" JavaScript gets obfuscated by making variable and function names as small as possible and removing extra white space, which is largely done to reduce its size for sending over the network, but has the effect of making it unusable as source code. Other projects use "browserified" JavaScript, which collects up several different modules into one file—sometimes performing other transformations along the way. And, of course, some projects use both.

Many of the projects that minify or browserify code use Grunt as a build system. But, Grunt is not packaged for Debian due to its reliance on the non-free JSHint component. That makes it problematic for Debian packages to build these files as part of the packaging procedure, so the packagers end up just including the processed files from upstream. The DFSG is quite clear, though, that Debian packages must come with source code—and it seems to be generally accepted that this processed JavaScript code does not qualify.

The issue raised its head again recently, when Pirate Praveen filed a bug requesting that the TC grant an exception for browserified JavaScript to be included in the Stretch (Debian 9) release, which is nearing its freeze date. In the bug, Praveen said that "every major web based software will have to be moved to contrib because its likely at least one of the javascript dependencies are in browserified form". He listed Diaspora, GitLab, Pagure, and Prometheus as being affected and suggested that there be an effort to get Grunt packaged for the release after Stretch so that the problem would be resolved in that release.

But, as happened with a similar bug Praveen filed back in July, the Technical Committee members are not quite sure what they are being asked to do—nor whether they actually have the power to make a ruling on the issue. In July, TC member Don Armstrong asked: "Could you clarify what the precise question is that you'd like the CTTE to answer?" In the more recent bug, TC member Tollef Fog Heen echoed that:

What is the exact question you're trying to get us to answer? Are you asking us for advice, are you asking us to overrule a developer or something else?

Joseph R. Justice, who is something of a neutral party with regard to the dispute, provided a helpful summary of some of the previous discussions of the issue. He tried to make it more clear what decision was being sought: effectively, either overriding the FTP team (which decides what can go into the main archive) with regard to Stretch or making a statement that the TC agrees with the decision and recognizes that it means users will have to enable the contrib and/or non-free archives for these types of packages.

TC member Sam Hartman responded, noting that the FTP team had not yet decided that the browserified JavaScript makes a package unqualified for the main archive, though he admitted that it was pretty clear the team would rule that way. But he also raised a constitutional question:

It's not clear constitutionally that the TC can overrule the ftp team's decision regarding whether something is DFSG-free. Even if we could, it's not clear that is a technical decision in our scope. So, asking the TC to overrule such a decision is asking for the hardest political choice possible in such a situation--a really hard sell within the project and the TC.

Beyond that, Hartman said that he wasn't comfortable making a blanket ruling about browserified JavaScript and would rather see some kind of intellectual framework that could be more widely applied, rather than make some ad hoc decision. "User convenience is something we're likely to consider, but 'source is what we need source to be so things work well for users,' is going to be a really improbable sell." But that didn't sit well with Adrian Bunk, who pointed to a bug filed against the Perl Configure script, which cannot be generated from the Debian sources. The Perl maintainer seems to have more or less routed around the DFSG question. Bunk said:

The relevant part of #762638 is:

Clearly perl isn't going to be kicked out of Debian because of this, but a less important package might well be.

That is exactly the problem here - browserified javascript is not important enough, so FTP team and TC are getting away with not making a decision.

Hartman admitted that he disagreed with the Perl maintainer's decision, but that still leaves the browserified JavaScript question (and the libjs-handlebars bug that Praveen is most concerned about) unresolved. Several in the thread suggested that Praveen take the question directly to the FTP team, which he did. The response indicated that the team would not oppose the Release team granting an exception for Stretch. So Praveen, who appears to be dogged in his persistence, filed a bug requesting such an exception. The request was a bit overbroad, perhaps, but it seems likely that something will be worked out for libjs-handlebars at least.

In the thread, both Bunk and Ian Jackson expressed frustration with the seeming inability of the TC members to find a way to help resolve the situation—or at least to move it along in a positive direction. It is an issue that apparently pops up with some frequency (not necessarily with regard to browserified JavaScript, but for Perl, SQLite, and others), but never seems to get resolved. However, the TC members seem to feel that they don't really have the proper authority.

On the tech-ctte mailing list, TC member Didier Raboud asked Debian Project Secretary Kurt Roeckx for some assistance in determining what authority the TC has in overriding decisions made by teams who have been delegated their authority by the Debian Project Leader (DPL), such as the FTP and Release teams. Roeckx's answer was not entirely clear-cut, in part because the TC has broad powers, but the main takeaway is the following: "The only way I can see how to overrule a delegate of the DPL is by using a GR [General Resolution]." He did note that it is possible the TC could "overrule" a delegate by using a different power that ended up having the same effect. It is a little hard to see that ever happening without it causing some major upheaval within Debian, though.

It would seem that progress has been made here—in typical Debian style. The project has built up its processes and procedures over the years and it sometimes looks rather bureaucratic in its deliberations and decision-making, but project members mostly seem to respect and even revere how it all works. That type of organization may not be for everyone, but there are plenty of choices in the free software world for those who find Debian too constraining. As a large, and largely smoothly functioning, group, though, Debian shines in its ability to work things out without rancor for the most part.

Comments (12 posted)

Brief items

Distribution quotes of the week

Perhaps I'm channeling my inner Heinlein here, but if you want to have an official say in how things go, then you should get your hands dirty. If your hands really are dirty, then you should be recognized as such. The bar need not be set exactly where it is today, but there should be some kind of minimum activity level if somebody wants to be a member. It shouldn't just be people who "like Gentoo." Gentoo has to work first and foremost for those who are active contributors, since those are the people we most need to keep happy. If people want to have more of a say and become active contributors to have that say, then so much the better. Also, if you want somebody to have a role in defining just how the operation works, then they need to demonstrate that they're going to be an informed voter/etc. You can't run a volunteer-based organization on wishful thinking.

— Rich Freeman

Fedora/RISC-V is finished!

— Richard WM Jones

We are a tiny band in a market of giants, but our focus on delivering free software freely together with enterprise support, services and solutions appears to be opening doors, and minds, everywhere. So, in honour of the valiantly tiny leaping long-tailed over the obstacles of life, our next release which will be Ubuntu 17.04, is hereby code named the ‘Zesty Zapus’.

— Mark Shuttleworth

-=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
59c0e60e-94a1-11e6-8e0b-0e6d1d2d9c75
[   ] Choice 1: Repeal subsequent GR
[   ] Choice 2: Bcc all correspondence to Wikileaks
[   ] Choice 3: Run in circles, scream and shout
[   ] Choice 4: Further Discussion
-=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-

— Ben Finney

(Reproducible) builds from source (with continuous rechecking) is the only way to have enough confidence that a Debian user has the freedoms promised to them by the Debian social contract.

— Paul Wise

Comments (none posted)

Ubuntu 16.10 (Yakkety Yak) released

Ubuntu 16.10 (Yakkety Yak) has been released. "Under the hood, there have been updates to many core packages, including a new 4.8-based kernel, a switch to gcc-6, and much more." The flavors Kubuntu, Lubuntu, Ubuntu GNOME, Ubuntu Kylin, Ubuntu MATE, Ubuntu Studio, and Xubuntu have also been released. Ubuntu 16.10 will be supported for 9 months.

Full Story (comments: 13)

RebeccaBlackOS Wayland Live CD release

There are new iso images available for the Wayland showcase distribution RebeccaBlackOS. "I have almost everything Wayland related on these ISOs, and also now, there are an increasing number distributions containing Wayland sessions, such as Fedora with Gnome-Shell, and KDE Neon's ISOs. My ISOs have more Wayland Desktops however, both KDE and Gnome, as well as Enlightenment, Orbital, Hawaii, Orbment and Sway. Also all Wayland enabled toolkits, Qt, GTK, EFL, SDL, glfw and FreeGLUT This has the master versions of all the Desktop Environments."

Full Story (comments: none)

Live kernel patches for Ubuntu

Canonical has announced the availability of a live kernel patch service for the 16.04 LTS release. "It’s the best way to ensure that machines are safe at the kernel level, while guaranteeing uptime, especially for container hosts where a single machine may be running thousands of different workloads." Up to three systems can be patched for free; the service requires a fee thereafter. There is a long FAQ about the service in this blog post; it appears to be based on the mainline live-patching functionality with some Canonical add-ons.

Full Story (comments: 20)

Distribution News

Debian GNU/Linux

DebConf18 in your city! Meet end-of-year bid deadline

The Debian Project is seeking proposals for hosting DebConf18. "There are a lot of past DebConf organisers around to help, so you're not on your own. But we'll need your energy and local expertise to find a venue, accomodation, and all the other local options. Of course, we'll be able to provide guidance all along the way." Proposals are due by December 31.

Full Story (comments: none)

Other distributions

Scientific Linux 5 Six Month Warning - SL5 End Of Life

Scientific Linux 5 will reach end-of-life on March 31, 2017. There will be no more updates, including security updates, after that date.

Full Story (comments: none)

Newsletters and articles of interest

Distribution newsletters

Debian Misc Developer News (October 17)
DistroWatch Weekly, Issue 683 (October 17)
Lunar Linux weekly news (October 14)
openSUSE news (October 13)
openSUSE Tumbleweed – Review of the Week (October 14)
Ubuntu Kernel Team weekly newsletter (October 11)
Ubuntu Weekly Newsletter, Issue 484 (October 16)

Comments (none posted)

Parrot Security 3.2 “CyberSloop” Ethical Hacking OS (TechWorm)

TechWorm reviews Parrot Security 3.2. "If you are a hacker, pentester, or a security researcher, this news should interest you. The best Linux OS after Kali, Parrot Security 3.2 “CyberSloop” was released today. The developers released the second point release to the Debian-based Parrot Security 3.x GNU/Linux distribution designed for ethical hackers and security researchers." A brief release announcement is on the Parrot Blog.

Comments (none posted)

Open source ResinOS adds Docker to ARM/Linux boards (HackerBoards)

HackerBoards takes a look at ResinOS. "Resin.io, the company behind the Linux/Javascript-based Resin.io IoT framework for deploying applications as Docker containers, began spinning off the Linux OS behind the framework as an open source project over a year ago. The open source ResinOS is now publicly available on its own in a stable 2.0.0-beta.1 version, letting other developers create their own Docker-based IoT networks. ResinOS can run on 20 different mostly ARM-based embedded Linux platforms including the Raspberry Pi, BeagleBone, and Odroid-C1, enabling secure rollouts of updated applications over a heterogeneous network."

Comments (none posted)

Page editor: Rebecca Sobol
Next page: Development>>