Quoting Vincent Bernat (2016-10-21 07:26:43) > ❦ 21 octobre 2016 00:20 +0200, Joerg Jaspert <joerg@debian.org> : > >>> #!/bin/sh >>> # I absolutely new nothing about gulp, coffeescript, sass and uglify 15 >>> minutes ago... >>> [...] >>> If you insist I can add build.sh script to the missing-source, but >> >> No, you do not put it in missing-source foo. You use it during the >> build of your package, thats the correct thing to do. > > This is likely to introduce Debian-only bugs. For example, on the next > update, the version of epoch.js is updated to add an additional file. > The build process is not updated and we get a Debian-only bug in the > application that may be hard to detect because this only happens in > some part of the applications. Obviously whatever you do custom for a Debian package compared to upstream, you will need to ensure keep working. If upstream does not provide a testsuite that you can rely on for that, you might consider adding appropriate tests yourself. Simplest example I can think of specifically for bypassing upstream build routine is to add a rule that fails if an md5 checksum of files involved in said upstream build routine changes. >>> that's a new information for me that we are now doing distro just >>> for hipsters that can't read and write more than one twitter message >>> at the time, and can't read a simple makefile. >> >> Silly, you forgot later updates to the package not done by you. There >> is no reason why a security team should have to learn the above >> steps. They should edit the source and just build the package and >> that should do the right thing. Not needing to dig up whatever crap >> may be needed for todays hip sillyscript transformation. > > It would be as easy for the security team to modify the unminified > version than the "upper" upstream version of the source. > > I suppose that (like me), Ondřej Surý does not want to deal with the > complexity of building JS from the "upper" source for the benefit of > people that don't exist. There are likely no Debian users on lonely islands either. That is not an acceptable reason for weakening the quality of our packages. - Jonas - * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature