Privacybadger: Please distribute source files for Javascript libraries in src/lib/vendor

Hello! Could you go more into why you need unminified third-party vendor files to live in this repository (or to be distributed with Privacy Badger releases)? We shouldn't ever have to modify those files. If you'd like to work with original sources for whatever reason, you should be able to retrieve them yourself from the respective project's homepage/GitHub/npm.

Hello

I maintain privacybadger for Debian. https://tracker.debian.org/pkg/privacybadger

We promise that we always distribute source code along with every program in compiled form.

https://www.debian.org/social_contract

By distributing minified Javascript files in your program without the corresponding sources you make it hard to verify whether the minified version corresponds to the original sources. Have you ever tried to compile/minify those JS libraries yourself and verified that the sources and minified files match? How can you be sure that they are reproducible and nobody else tampered with them?

See also the reproducible builds effort for more information about this topic.

https://reproducible-builds.org/

There are also scenarios where the recipient of your program might have no internet connection or wants to modify the code offline. Or what happens when the original project vanishes?

Then there is also the legal aspect. Privacybadger is licensed under the GNU General Public License 3 or later which states:

The "source code" for a work means the preferred form of the work
for making modifications to it. JQuery, underscore and other libraries are the "Corresponding Source"

"The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities."

The best way to convey the Corresponding Source is to ship it along with your program. Pointing to third party servers when you cannot even be sure what version you distribute at the moment can cause major headaches for those who abide by the license terms.

In any case I think it is just good practice to ship the human-readable JS code along with a minified version and in case of privacybadger, a firefox addon focused on privacy and not a web application, I wonder if it wouldn't be even better to use the original *.js files instead of the *.min.js versions for transparency reasons.

OK, I'll look into replacing the minified libraries with original sources.

Could you update Privacy Badger's description to "Privacy Badger automatically learns to block invisible trackers."? Ideally you'd get it automatically from the "description" message of the en_US locale.

Similarly, could you update the the long-form description ("Privacy Badger is a browser add-on that stops advertisers and other third-party trackers from secretly...") to the text in our README? Maybe starting from "Instead of keeping lists of what to block, Privacy Badger learns..." to "To learn more, see the FAQ on Privacy Badger's homepage."

OK, I'll look into replacing the minified libraries with original sources.

Thank you.

Could you update Privacy Badger's description to "Privacy Badger automatically learns to block invisible trackers."?

Yes, I can change the short description. However it is hardcoded in the debian/control file because the package description usually doesn't change. The long description was copied from the README but I guess it has been changed recently.

@apoleon The Privacy Badger Debian package appears to be stuck on version 2019.2.19. Privacy Badger is on a (approximately) monthly release schedule, with major bug and site fixes included in nearly every update. There is no "stable"/LTS/ESR Privacy Badger release you could point to as the version to install for months at a time. Could you aim for keeping the Debian package updated to the latest version available from https://privacybadger.org/? Thank you!

The latest version of privacybadger is always available in Debian unstable. There is usually a short delay because packaging requires time and privacybadger is not the only project I currently maintain in Debian. What you are referring to is Debian stable. See also Debian stability. Packages in stable usually don't change unless there is an important or grave security or usability issue. The latter can only be fixed via stable point updates which happen every two or three months. At the moment I don't plan to update privacybadger via point updates in stable. Everyone who needs a more recent version can use the packages from testing or unstable.

a short delay

That's fine!

Packages in stable usually don't change unless there is an important or grave security or usability issue.

Yes to both. Many important security and usability fixes have landed since 2019.2.19.

I'd prefer to not have Privacy Badger in Debian stable to having an out-of-date Privacy Badger.

Yes to both. Many important security and usability fixes have landed since 2019.2.19.

What security issues did you fix in privacybadger? What commits did fix them? Why did you not request a CVE to make them public?

I'd prefer to not have Privacy Badger in Debian stable to having an out-of-date Privacy Badger.

Debian produces stable. If your software isn't suitable for stable, then it is better to remove your addon from Debian completely. If that is your wish, I will request the removal from Debian and step down as maintainer of privacybadger.

Having reviewed the release notes since 2019.2.19, I'd like to amend my previous statement to that we have had many important usability fixes since 2019.2.19.

I recommend using the latest version of Privacy Badger only. I do not recommend using out of date versions. I would prefer for all our distribution channels to provide as close to the latest version as possible. As you are much more familiar with Debian than I am, please do what makes the most sense to you given my recommendations.

@apoleon So what do you think we should do here?

I have asked on our mailing list if someone else is interested in maintaining privacybadger. I got one positive feedback from John who also seems to be interested in updating privacybadger in stable on a regular basis as well. Should he take over maintainership, I'll let you know.

Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972003

privacybadger in Debian has a new maintainer. I suppose Jonas will update the addon in stable and continue the support in testing and unstable. https://tracker.debian.org/pkg/privacybadger