Michael Meskes dijo [Fri, Feb 16, 2018 at 10:07:06PM +0100]:
> > Is was a relevant part of the problem mentioned in Raphaels bug
> > report: Minified JS libraries without source code. this was one
> > of the starting points of this discussion. (#890598)
>
> Right, although merely technical since there is source code, albeit not
> very legible or maintainable.
Minification is quite comparable to compilation. I will give you some
examples from my frustration with Drupal8 in this answer. This can no
longer be seen as source code:
https://anonscm.debian.org/cgit/collab-maint/drupal8.git/tree/core/assets/vendor/classList/classList.min.js
And it's far from the ugliest example I can quote. Of course, I needed
to ship sources for all of them - Take a look at:
https://anonscm.debian.org/cgit/collab-maint/drupal8.git/tree/debian/missing-sources/README
And, of course, think about the huge diff that is to be created for
all of the files in debian/missing-sources.
> > The bug report mentions two orthogonal problems:
> > - libraries without source code or no license information
>
> I might have missed the missing license problem, but I'm pretty noone
> wants to see unlicensed software in Debian, which also would be
> illegal.
Take this as an example of what is needed for a moderately complex PHP
webapp with lots of JS in it:
https://anonscm.debian.org/cgit/collab-maint/drupal8.git/tree/debian/copyright
Of course, it was all hand-generated and validated.
> > - libraries which are needed in specific versions
>
> This one really worries me. I wonder how many similar cases we already
> have, where somebody took some code and changed it slightly before
> including it.
And that's where I dropped the ball. Upstream says they will keep
dependencies refreshed - that means that every project version bump,
they will pull in the newest stable versions for all of the projects I
covered in the above links. Of course, I had come up with a clunky bit
in my debian/rules to track any changes:
override_dh_install:
# Ensure the list of third-party included libraries remains
# consistent with what we already checked
SHATMP=`mktemp --tmpdir SHA_CK.XXXXX` && \
sha256sum core/core.libraries.yml > $$SHATMP && \
diff -q debian/missing-sources/tracking.sha256 $$SHATMP && \
rm $$SHATMP
But... That would inescapably be run at every minor bump. And it's
just too much of a PITA to build.
> > I add a third one:
> > - libraries that are not packaged, because there are too many
>
> The problem is probably less the amount but more the manual work to
> find the canonical sources. Packing a go "library" for instance does
> not take a lot of time, because it can be done mostly automated.
But packaging the precise version that is required in each little bump
is just impossible.
Attachment:
signature.asc
Description: PGP signature