On Fri, 25 Apr 2014 16:47:41 +0200 Jeroen Dekkers <jer...@dekkers.ch> wrote:
> At Fri, 25 Apr 2014 14:58:35 +0200, > Daniel Pocock wrote: > > There is no doubt in my mind that if the rules are not strict then > > sooner or later somebody will sneak something bad into some minified > > Javascript - maybe it will happen upstream and the DD won't even be > > aware of it. > > Yes, and that's why javascript shipped in binary packages should be > build from source and we should not copy minified javascript files > from upstream. I think there isn't much disagreement about that > part. But if the minified javascript files in the upstream tarball > aren't used when building the binary packages because the javascript > libraries are already packaged in Debian, then it isn't possible that > something bad sneaks in our packages. So why repack the upstream > tarball? > > I don't really see any value in repacking every upstream tarball that > has a minified copy of jQuery. For one thing it makes it *a lot* simpler to scan the archive for exactly the kind of problem you describe and we all need to avoid. Secondly it makes it simple for people working from the Debian source package to check and debug the package without needing a build step and without possible confusion about which file gets used. Finally, there is the issue that these minified JS files are not source code and we should not be distributing files in source packages for which there is no source code in that same source package. Why distribute two versions when the build system has to minify them & replace the minified one anyway? I'm arguing from a slightly different perspective, I am upstream for the package to which this problem will apply by the time I upload it. I'm going through the work of handling the JS files with the upstream team and I'm the one persuading the team that we need to do it this way. Compared to that amount of work, stripping a few files from a tarball using uscan is utterly trivial and I don't see why it is a problem. It's quite a bit harder to do the right thing and persuade upstream to not include them. -- Neil Williams ============= http://www.linux.codehelp.co.uk/
signature.asc
Description: PGP signature
