On Aug 3, 2013 8:55 PM, "T.C. Hollingsworth" <tchollingsworth@xxxxxxxxx> wrote:
>
> On Tue, Jul 30, 2013 at 5:48 AM, Robert Marcano
> <robert@xxxxxxxxxxxxxxxxx> wrote:
> > On 07/26/2013 12:30 PM, Nicolas Mailhot wrote:
> >> Le Lun 22 juillet 2013 21:58, Robert Marcano a écrit :
> >>
> >>> The real problem with publishing things is that if I distribute binaries
> >>> of many things I must follow the license, some say I need to distribute
> >>> sources, some say that I need to distribute a copy of the license, etc.
> >>> Making files downloadable by default adds to the distributor more work
> >>> (legal) because they must comply with their licenses. So if I put an
> >>> open service of an Apache licensed web application, I will start
> >>> distributing fonts with other licenses without ever noticing, for
> >>> example GPL+3 (nothing against any license, only examples of the things
> >>> people should care when distributing free/open licensed code/assets)
> >>
> >>
> >> Again, the fonts available in Fedora are carefully vetted and none of them
> >> have redistribution restrictions (and even for those with GPLish licenses
> >> a large part of the font community considers the font file is the font
> >> source, so you can't redistribute one without the other)
> >>
> >> I understand your point but please take another example.
> >>
> >
> > There isn't another example, with the exception of _javascript_ code that is
> > planned to be made available too. I don't consider that the distribution
> > must make the decision to make me a distributor of assets I am not using on
> > one of the web applications I decided to publish on my webserver, those web
> > applications must make available those assets and only those assets.
>
> You make the decision by installing a js-foo package, just like you
> make the decision to provide a web application by installing a package
> for it.
>
Do you know there are GNOME _javascript_ applications? And that _javascript_ is being encouraged as a language for desktop applications? So all those libraries that can be used on desktop and web clients will be shared by default if I install a desktop application that need that library and a web application that never uses that library? This is madness, why not share /usr/bin via NFS too by default
This is a licensing problem. I should not need to disable it, because I think Fedora should not share code/assets only because I installed it, the we application need to share it if it is really needed. I think I a being repetitive here NAD nobody understand my point of view :-( probably I should ask on fedora-legal, I don't like where this is going, making me a distributor by default of every _javascript_ package installed even if no web application needs them
> Also, it's just a default. Disabling it will be easy; just truncate
> the relevant config file:
> echo > /etc/httpd/conf.d/web-assets.conf
>
> > To
> > force me to blacklist is wrong. _javascript_ code is worse in this aspect
> > because it can be used as an attack vector, finding vulnerabilities that
> > allow someone to inject _javascript_ code from the same server
>
> There is nothing like CORS protections for <script> tags. (In fact,
> they are commonly used to evade them, i.e. JSONP.) If an attacker can
> force your application to load code from your server they can just as
> easily pull it from a public CDN or a server under their control.
> Even disabling all external script loading wouldn't help you, since
> they could just use eval().
>
> -T.C.
> --
> devel mailing list
> devel@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct