On Tue, Jul 30, 2013 at 5:48 AM, Robert Marcano <robert@xxxxxxxxxxxxxxxxx> wrote: > On 07/26/2013 12:30 PM, Nicolas Mailhot wrote: >> Le Lun 22 juillet 2013 21:58, Robert Marcano a écrit : >> >>> The real problem with publishing things is that if I distribute binaries >>> of many things I must follow the license, some say I need to distribute >>> sources, some say that I need to distribute a copy of the license, etc. >>> Making files downloadable by default adds to the distributor more work >>> (legal) because they must comply with their licenses. So if I put an >>> open service of an Apache licensed web application, I will start >>> distributing fonts with other licenses without ever noticing, for >>> example GPL+3 (nothing against any license, only examples of the things >>> people should care when distributing free/open licensed code/assets) >> >> >> Again, the fonts available in Fedora are carefully vetted and none of them >> have redistribution restrictions (and even for those with GPLish licenses >> a large part of the font community considers the font file is the font >> source, so you can't redistribute one without the other) >> >> I understand your point but please take another example. >> > > There isn't another example, with the exception of Javascript code that is > planned to be made available too. I don't consider that the distribution > must make the decision to make me a distributor of assets I am not using on > one of the web applications I decided to publish on my webserver, those web > applications must make available those assets and only those assets. You make the decision by installing a js-foo package, just like you make the decision to provide a web application by installing a package for it. Also, it's just a default. Disabling it will be easy; just truncate the relevant config file: echo > /etc/httpd/conf.d/web-assets.conf > To > force me to blacklist is wrong. Javascript code is worse in this aspect > because it can be used as an attack vector, finding vulnerabilities that > allow someone to inject Javascript code from the same server There is nothing like CORS protections for <script> tags. (In fact, they are commonly used to evade them, i.e. JSONP.) If an attacker can force your application to load code from your server they can just as easily pull it from a public CDN or a server under their control. Even disabling all external script loading wouldn't help you, since they could just use eval(). -T.C. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct