Bug#872944: www.debian.org: Debian Policy Manual not fully published

To: Sean Whitton <spwhitton@spwhitton.name>
Cc: larjona@debian.org, 872944@bugs.debian.org
Subject: Bug#872944: www.debian.org: Debian Policy Manual not fully published
From: Russ Allbery <rra@debian.org>
Date: Sun, 17 Sep 2017 14:47:17 -0700
Message-id: <[🔎] 87efr5ro9m.fsf@hope.eyrie.org>
Reply-to: Russ Allbery <rra@debian.org>, 872944@bugs.debian.org
In-reply-to: <8760dba1b9.fsf@iris.silentflame.com> (Sean Whitton's message of "Fri, 25 Aug 2017 12:34:50 -0700")
References: <20170822192106.652n36e6wu3dkzsz@iris.silentflame.com> <20170822192106.652n36e6wu3dkzsz@iris.silentflame.com> <87bmn70w62.fsf@hope.eyrie.org> <39481c1a-33b4-c7ca-9b19-16e93866cf02@debian.org> <20170822192106.652n36e6wu3dkzsz@iris.silentflame.com> <87lgm8ad7p.fsf@iris.silentflame.com> <c12e3cad-c56f-69a3-a33b-728762eb684c@debian.org> <8760dba1b9.fsf@iris.silentflame.com> <20170822192106.652n36e6wu3dkzsz@iris.silentflame.com>

Sean Whitton <spwhitton@spwhitton.name> writes:
> On Fri, Aug 25 2017, Laura Arjona Reina wrote:

>> My concern is about doing the right thing... making our web visitors
>> run javascript code from sid in their browsers does not sound right for
>> me.

It's fairly unlikely that this would cause a problem in practice given how
the Javascript is used in this case and given the other contents of
www.debian.org.  The primary concern with Javascript is that it could
expose the site to XSS or other web vulnerabilities, but I believe the
content of www.debian.org is entirely public, so there's no meaningful XSS
or CSRF or related vulnerability that I can think of.

The remaining issues seem fairly obscure.

That said, introducing Javascript for the first time does feel like a
large-ish step, and the reluctance also makes sense.  I'm not sure the
search functionality really adds much.  (I haven't checked to confirm that
is the only thing in the Sphinx output that uses Javascript, and that it's
not used for something more useful like responsive design on mobile
browsers, but maybe Sean has.)

>> Would you (Debian Policy Team) consider acceptable to leave the website
>> version of the manual as it is now, without any javascript?

I have no objections!  I'm happy to have the web team make the call for
what makes the most sense for the web site.

> I'd want us to generate output that doesn't try to load any JavaScript,
> though, rather than publishing something which we expect to be buggy.
> [1] looks like a good starting point.

> Russ: do you agree?  If so, we can file a bug against policy to produce
> output without javascript, and block this bug by that one.

I suppose that also works, although it assumes that the only use of
Javascript is just the search box.  I don't really want to do a lot of
meddling with the Sphinx output (since part of the goal is to let Sphinx
take care of the details of output), but this doesn't look like a ton of
work and looks likely to continue to be supported.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Prev by Date: Who is Korean Coordinators of translations for Debian web pages ?
Next by Date: Re: Who is Korean Coordinators of translations for Debian web pages ?
Previous by thread: Re: Who is Korean Coordinators of translations for Debian web pages ?
Next by thread: Bug#805451: Bugs/Reporting: please document for each pseudo-header in which address@bugs.debian.org it can be used
Index(es):
- Date
- Thread