[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Pkg-dns-devel] Bug#833309: "Browserified" stuff (knot-resolver-module-http: please package embedded epoch.js separately)

Quoting Vincent Bernat (2016-10-21 07:26:43)
>  ❦ 21 octobre 2016 00:20 +0200, Joerg Jaspert <joerg@debian.org> :
>>> #!/bin/sh
>>> # I absolutely new nothing about gulp, coffeescript, sass and uglify 15
>>> minutes ago...
>>> [...]
>>> If you insist I can add build.sh script to the missing-source, but
>> No, you do not put it in missing-source foo. You use it during the 
>> build of your package, thats the correct thing to do.
> This is likely to introduce Debian-only bugs. For example, on the next 
> update, the version of epoch.js is updated to add an additional file. 
> The build process is not updated and we get a Debian-only bug in the 
> application that may be hard to detect because this only happens in 
> some part of the applications.

Obviously whatever you do custom for a Debian package compared to 
upstream, you will need to ensure keep working.  If upstream does not 
provide a testsuite that you can rely on for that, you might consider 
adding appropriate tests yourself.  Simplest example I can think of 
specifically for bypassing upstream build routine is to add a rule that 
fails if an md5 checksum of files involved in said upstream build 
routine changes.

>>> that's a new information for me that we are now doing distro just 
>>> for hipsters that can't read and write more than one twitter message 
>>> at the time, and can't read a simple makefile.
>> Silly, you forgot later updates to the package not done by you. There 
>> is no reason why a security team should have to learn the above 
>> steps. They should edit the source and just build the package and 
>> that should do the right thing. Not needing to dig up whatever crap 
>> may be needed for todays hip sillyscript transformation.
> It would be as easy for the security team to modify the unminified 
> version than the "upper" upstream version of the source.
> I suppose that (like me), Ondřej Surý does not want to deal with the 
> complexity of building JS from the "upper" source for the benefit of 
> people that don't exist.

There are likely no Debian users on lonely islands either.  That is not 
an acceptable reason for weakening the quality of our packages.

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply to: