On April 25, 2014 04:40:26 PM Neil Williams wrote: > Jeroen Dekkers <jer...@dekkers.ch> wrote:
> > part. But if the minified javascript files in the upstream tarball > > aren't used when building the binary packages because the javascript > > libraries are already packaged in Debian, then it isn't possible that > > something bad sneaks in our packages. So why repack the upstream > > tarball? > > > > I don't really see any value in repacking every upstream tarball that > > has a minified copy of jQuery. > > For one thing it makes it *a lot* simpler to scan the archive for > exactly the kind of problem you describe and we all need to avoid. That sounds like you you're asking N developers to do a bunch of extra busywork so that 1 person's job is made easier. Here's an alternative: if you can indeed scan the archive for bad files, add that detector to the archive- rebuilding project and do this: 1. Unpack 2. Remove bad files 3. Build If it still builds after removal, you have proved the bad file is not used. > Secondly it makes it simple for people working from the Debian source > package to check and debug the package without needing a build step and > without possible confusion about which file gets used. Perhaps, but again there's a simpler alternative: remove the bad file in the "clean" target. That proves to the reader of debian/rules that the bad file is not used. > Finally, there is the issue that these minified JS files are not source > code and we should not be distributing files in source packages for > which there is no source code in that same source package. I think this absolutist view was eloquently debunked by Russ Allbery recently; see https://lists.debian.org/debian-devel/2014/03/msg00270.html In summary: yes, such files should not be used to generate the binary and they are a nuisance to have in the source package, but a nuisance is all it is. -Steve
signature.asc
Description: This is a digitally signed message part.
