bug-librejs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Updated version of proposed LibreJS spec changes

From: Yuchen Pei
Subject: Re: Updated version of proposed LibreJS spec changes
Date: Sun, 23 Jul 2023 23:44:19 +1000
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) 
On Sun 2023-07-23 01:23:59 -0400, bill-auger wrote:

> On Sun, 23 Jul 2023 11:10:26 +1000 Yuchen wrote:
>> #+begin_src js
>> /* content of foo.js which is under gpl3+ */
>> // SPDX-License-Identifier: GPL-3.0-or-later
>> // code from foo.js
>> /* content of bar.js which is nonfree */
>> // code from bar.js
>> #+end_src
>> 
>> librejs will assume the code in bar.js is also under gpl3+, and let it
>> through, when it shouldn't.
>
> such "bundles" suggest deeper questions - how would librejs know on
> which line
> of the concatenation does foo.js end and bar.js begin?

For mere concatenations, requiring a @license-end and rejecting any
script with only @license but no @license-end fix such issues. This is
the existing librejs behaviour btw.

>
> if such a fundamental question can not be resolved by a machine, then
> i would
> disqualify such "bundles", as fundamentally deceptive - i can think f
> a a worse
> case where foo.js declares a permissive license, then bar.js is actually
> GPL-licensed, but does not declare so in the source file,

AFAIK mistaking a file under a copyleft license to be under a permissive
license is only harmful when someone redistributes the code (e.g. turn
it proprietary), but the usecase for librejs is to accept or block
"first-hand" scripts before executing it, so this issue seems irrelevant
to me.

> or that
> information
> was stripped by a minimizer - the concatenated output file could
> technically be
> a GPL violation

For minimization and other less trivial transformations on the source,
weblabels can sort it out, as the site maintainer can declare source and
transformed js as the first and the third columns, see e.g. the FSF one
<https://weblabels.fsf.org/www.fsf.org/CURRENT/>.

Source Maps as described in the doc also look like it could help, but I
haven't looked into it yet, and judging from the description there it
seems to have similar functionalities to weblabels.

How does the SPDX specification handle this issue?

Best,
Yuchen

-- 
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
          <https://ypei.org/assets/ypei-pubkey.txt>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]