❦ 21 octobre 2016 00:20 +0200, Joerg Jaspert <jo...@debian.org> :
>> #!/bin/sh
>> # I absolutely new nothing about gulp, coffeescript, sass and uglify 15
>> minutes ago...
>> [...]
>> If you insist I can add build.sh script to the missing-source, but
>
> No, you do not put it in missing-source foo. You use it during the build
> of your package, thats the correct thing to do.
This is likely to introduce Debian-only bugs. For example, on the next
update, the version of epoch.js is updated to add an additional
file. The build process is not updated and we get a Debian-only bug in
the application that may be hard to detect because this only happens in
some part of the applications.
>> that's a new information for me that we are now doing distro
>> just for hipsters that can't read and write more than one twitter
>> message at the time, and can't read a simple makefile.
>
> Silly, you forgot later updates to the package not done by you. There is
> no reason why a security team should have to learn the above steps. They
> should edit the source and just build the package and that should do the
> right thing. Not needing to dig up whatever crap may be needed for
> todays hip sillyscript transformation.
It would be as easy for the security team to modify the unminified version
than the "upper" upstream version of the source.
I suppose that (like me), Ondřej Surý does not want to deal with the
complexity of building JS from the "upper" source for the benefit of
people that don't exist.
--
Too much is just enough.
-- Mark Twain, on whiskey
signature.asc
Description: PGP signature
