Re: Reference to RDFJS libraries from Sarven Capadisli on 2014-10-30 (public-rdfjs@w3.org from October 2014)

From: Sarven Capadisli <info@csarven.ca>
Date: Thu, 30 Oct 2014 11:37:34 +0100
To: public-rdfjs@w3.org
Message-ID: <545214EE.2040101@csarven.ca>

On 2014-10-29 17:50, Jonas Smedegaard wrote:
> Quoting Sarven Capadisli (2014-10-29 12:21:32)
>> Dear Lazy RDFJSWeb,
>>
>> If you use one of the rdfjs libraries in your front-end (browser)
>> application, do you refer to the source or have a local copy?
>>
>> I'm inclined to point to a GitHub resource for example, if others
>> wouldn't mind relying on that in their applications as well i.e., to
>> collectively take advantage of user browser caching. Otherwise, it is
>> more of a bother, and a local copy instead is as reliable as it gets.
>>
>> Is there a consensus? Got thoughts?
>
> Beware that referencing is a source of tracking its use.  Some see that
> as a benefit, others as worrisome.
>
> Debian have begun actively detecting and patching uses of CDNs in their
> (or our - I am a Debian Developer) redistribution of code projects:
> https://lintian.debian.org/tags/privacy-breach-generic.html
>
> On a related note, Debian also consider it problematic when code is
> distributed in scrambled (a.k.a. "minified") form, as that (similar to
> compiled code) makes it difficult to verify if containing same code as
> the real editable source or perhaps accidentally is a different version
> with security flaws or licensing issues:
> https://lintian.debian.org/tags/embedded-javascript-library.html
>
> Here are some suggested best practices for releasing javascript-based
> code projects e.g. at Github:
>
>    * Include real source (i.e. preferred form for editing) of the code
>      you authored yourself.
>
>    * Use relative link to the real source, but make it easy (e.g. a
>      build flag) to replace that with another relative (e.g. minified)
>      path or a full URL (e.g. to own web served or a CDN location).
>
>    * Don't include minified source (at least in source branch, see
>      below).
>
>    * Don't include external code project (at least in source branch,
>      see below).  Instead, link with full URL to e.g. a CDN, and make
>      it easy (e.g. a build flag) to replace with either relative or
>      full URL.
>
>    * If relevant to release code for use as-is, do so separately from
>      source releases.  This not only makes sense for code projects
>      involving compilation, but also for scripted Javascript code
>      which commonly require merging, minification etc. deriving
>      irreversibly from its source form.
>
>
> Hope that helps (even if mostly not what you asked),
>
>   - Jonas
>

Certainly! All good take aways / practices. Thanks for sharing.

-Sarven

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Thursday, 30 October 2014 10:38:03 UTC