[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Pkg-dns-devel] Bug#833309: "Browserified" stuff (knot-resolver-module-http: please package embedded epoch.js separately)

 ❦ 21 octobre 2016 00:20 +0200, Joerg Jaspert <joerg@debian.org> :

>> #!/bin/sh
>> # I absolutely new nothing about gulp, coffeescript, sass and uglify 15
>> minutes ago...
>> [...]
>> If you insist I can add build.sh script to the missing-source, but
> No, you do not put it in missing-source foo. You use it during the build
> of your package, thats the correct thing to do.

This is likely to introduce Debian-only bugs. For example, on the next
update, the version of epoch.js is updated to add an additional
file. The build process is not updated and we get a Debian-only bug in
the application that may be hard to detect because this only happens in
some part of the applications.

>> that's a new information for me that we are now doing distro
>> just for hipsters that can't read and write more than one twitter
>> message at the time, and can't read a simple makefile.
> Silly, you forgot later updates to the package not done by you. There is
> no reason why a security team should have to learn the above steps. They
> should edit the source and just build the package and that should do the
> right thing. Not needing to dig up whatever crap may be needed for
> todays hip sillyscript transformation.

It would be as easy for the security team to modify the unminified version
than the "upper" upstream version of the source.

I suppose that (like me), Ondřej Surý does not want to deal with the
complexity of building JS from the "upper" source for the benefit of
people that don't exist.
Too much is just enough.
		-- Mark Twain, on whiskey

Attachment: signature.asc
Description: PGP signature

Reply to: