[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Doxygen and embedded jquery problem, how to solve?

Hi Gianfranco,

Quoting Gianfranco Costamagna (2014-10-29 13:41:30)
> I'm stuck with this jquery problem, and I don't know the best solution 
> for it.
> Doxygen creates and embeds a patched jquery version (why they don't 
> extend jquery in another file or rename it to avoid clashes is obscure 
> to me), then symlink can result in a broken documentation.
> Many sponsors doesn't sign a package with a lintian warning/error such 
> as "embedded jquery minified version" or so, and so I started making 
> packages with a dh_linktree jquery symlink (I know this is bad, and 
> this is the reason of why I'm here).
> So I would like to know what is the best way to solve it, I'm open to 
> avoid all the symlinks in my packages that are currently:
> -casablanca (new queue)
> -websocketpp
> -libsdl2-gfx
> -lucene++
> (maybe others I don't recall now)
> But I would like to do it after knowing what is the best solution for 
> the problem [1].
> Shipping minified js is considered a security issue, even for doc 
> package, and the bug seems likely in doxygen rather than in packages 
> using it, and patching lintian is an open bug [2] :)
> References I found by googling (and with thanks to some of my mentors)
> [1] https://lists.debian.org/debian-mentors/2012/11/msg00310.html
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736360

For the source package I believe you should either...

 a) ensure that the code is truly the code that it claims to be
    (filename "jquery-1.2.3" quite arguably is not adequate ensurance
    that it contains unaltered version 1.2.3 of jQuery).
    This can be difficult to ensure - one way is to build-depend on
    believed-to-be-same code, and check that content is identical
    (which may involve re-serialization of content).
 b) repackage upstream source to not redistribute with Debian code
    which is uncertain what it really is.

For the source package I believe you should either...

 a) Recommend jquery, and patch your code to link against it.
    This can be difficult: If you use /javascript/... as path it will
    only work when served by a webserver supporting such indirection
    (e.g. by use of javascript-common).  If instead you use
    /usr/share/javascript/... as path it will only work when offline
    or served by a webserver supporting such indirection (currently
    no package handles that out of the box).
 b) Depend on jquery, and symlink it from where your code expects

I don't follow why using a symlink is bad - if only you ensure to not 
have broken symlink, by depending on (not recommending) the jquery 

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply to: