Hi Gianfranco,
Quoting Gianfranco Costamagna (2014-10-29 13:41:30)
> I'm stuck with this jquery problem, and I don't know the best solution
> for it.
>
> Doxygen creates and embeds a patched jquery version (why they don't
> extend jquery in another file or rename it to avoid clashes is obscure
> to me), then symlink can result in a broken documentation.
>
> Many sponsors doesn't sign a package with a lintian warning/error such
> as "embedded jquery minified version" or so, and so I started making
> packages with a dh_linktree jquery symlink (I know this is bad, and
> this is the reason of why I'm here).
>
> So I would like to know what is the best way to solve it, I'm open to
> avoid all the symlinks in my packages that are currently:
> -casablanca (new queue)
> -websocketpp
> -libsdl2-gfx
> -lucene++
>
> (maybe others I don't recall now)
>
> But I would like to do it after knowing what is the best solution for
> the problem [1].
>
> Shipping minified js is considered a security issue, even for doc
> package, and the bug seems likely in doxygen rather than in packages
> using it, and patching lintian is an open bug [2] :)
>
>
> References I found by googling (and with thanks to some of my mentors)
>
> [1] https://lists.debian.org/debian-mentors/2012/11/msg00310.html
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736360
For the source package I believe you should either...
a) ensure that the code is truly the code that it claims to be
(filename "jquery-1.2.3" quite arguably is not adequate ensurance
that it contains unaltered version 1.2.3 of jQuery).
This can be difficult to ensure - one way is to build-depend on
believed-to-be-same code, and check that content is identical
(which may involve re-serialization of content).
b) repackage upstream source to not redistribute with Debian code
which is uncertain what it really is.
For the source package I believe you should either...
a) Recommend jquery, and patch your code to link against it.
This can be difficult: If you use /javascript/... as path it will
only work when served by a webserver supporting such indirection
(e.g. by use of javascript-common). If instead you use
/usr/share/javascript/... as path it will only work when offline
or served by a webserver supporting such indirection (currently
no package handles that out of the box).
b) Depend on jquery, and symlink it from where your code expects
it.
I don't follow why using a symlink is bad - if only you ensure to not
have broken symlink, by depending on (not recommending) the jquery
package.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature