❦ 21 octobre 2016 00:20 +0200, Joerg Jaspert <joerg@debian.org> : >> #!/bin/sh >> # I absolutely new nothing about gulp, coffeescript, sass and uglify 15 >> minutes ago... >> [...] >> If you insist I can add build.sh script to the missing-source, but > > No, you do not put it in missing-source foo. You use it during the build > of your package, thats the correct thing to do. This is likely to introduce Debian-only bugs. For example, on the next update, the version of epoch.js is updated to add an additional file. The build process is not updated and we get a Debian-only bug in the application that may be hard to detect because this only happens in some part of the applications. >> that's a new information for me that we are now doing distro >> just for hipsters that can't read and write more than one twitter >> message at the time, and can't read a simple makefile. > > Silly, you forgot later updates to the package not done by you. There is > no reason why a security team should have to learn the above steps. They > should edit the source and just build the package and that should do the > right thing. Not needing to dig up whatever crap may be needed for > todays hip sillyscript transformation. It would be as easy for the security team to modify the unminified version than the "upper" upstream version of the source. I suppose that (like me), Ondřej Surý does not want to deal with the complexity of building JS from the "upper" source for the benefit of people that don't exist. -- Too much is just enough. -- Mark Twain, on whiskey
Attachment:
signature.asc
Description: PGP signature