Re: Reference to RDFJS libraries from Jonas Smedegaard on 2014-10-31 (public-rdfjs@w3.org from October 2014)

From: Jonas Smedegaard <dr@jones.dk>
Date: Fri, 31 Oct 2014 11:22:52 +0100
To: Sarven Capadisli <info@csarven.ca>, public-rdfjs@w3.org
Message-ID: <20141031102252.15411.7072@bastian.jones.dk>

Quoting Jonas Smedegaard (2014-10-29 17:50:40)
> Quoting Sarven Capadisli (2014-10-29 12:21:32)
>> If you use one of the rdfjs libraries in your front-end (browser) 
>> application, do you refer to the source or have a local copy?
>>
>> I'm inclined to point to a GitHub resource for example, if others 
>> wouldn't mind relying on that in their applications as well i.e., to 
>> collectively take advantage of user browser caching. Otherwise, it is 
>> more of a bother, and a local copy instead is as reliable as it gets.
>>
>> Is there a consensus? Got thoughts?
>
> Beware that referencing is a source of tracking its use.  Some see 
> that as a benefit, others as worrisome.
>
> Debian have begun actively detecting and patching uses of CDNs in 
> their (or our - I am a Debian Developer) redistribution of code 
> projects: https://lintian.debian.org/tags/privacy-breach-generic.html
>
> On a related note, Debian also consider it problematic when code is 
> distributed in scrambled (a.k.a. "minified") form, as that (similar to 
> compiled code) makes it difficult to verify if containing same code as 
> the real editable source or perhaps accidentally is a different 
> version with security flaws or licensing issues: 
> https://lintian.debian.org/tags/embedded-javascript-library.html
>
> Here are some suggested best practices for releasing javascript-based 
> code projects e.g. at Github:
>
>  * Include real source (i.e. preferred form for editing) of the code 
>    you authored yourself.
>
>  * Use relative link to the real source, but make it easy (e.g. a 
>    build flag) to replace that with another relative (e.g. minified) 
>    path or a full URL (e.g. to own web served or a CDN location).
>
>  * Don't include minified source (at least in source branch, see
>    below).
>
>  * Don't include external code project (at least in source branch, 
>    see below).  Instead, link with full URL to e.g. a CDN, and make
>    it easy (e.g. a build flag) to replace with either relative or
>    full URL.
>
>  * If relevant to release code for use as-is, do so separately from
>    source releases.  This not only makes sense for code projects
>    involving compilation, but also for scripted Javascript code
>    which commonly require merging, minification etc. deriving
>    irreversibly from its source form.

  * Instead of ambiguous "MIT" refer to that license as "Expat"
    (if that is in fact your chosen licensing terms, obviously)

  * Consider use "JavaScript License Web Labels" as documented at
    <https://www.gnu.org/licenses/javascript-labels.html>


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Received on Friday, 31 October 2014 10:23:57 UTC