Re: Building from source required?
On Wed, Dec 3, 2008 at 7:42 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
> libjs-jquery prompted this question. The files in dist/ have been
> processed and are not source-equivalent, and are directly copied into
> the binary package.
Quite a common occurrence with JavaScript stuff unfortunately.
>> Sounds like a package that has source that is built using something
>> non-free, which would put it in contrib?
>
> Hmm, I don't really know which Javascript packer is used there.
There are free JavaScript packers (the yahoo one comes to mind - BSD licensed).
IMO this is a policy/sanity issue rather than a DFSG one; you have the
source and the pre-packed binary, nothing prevents you from doing that
packing yourself. By directly installing the pre-compiled one into the
binary package, any patches applied to the source files will not
result in changes in the binary package, which could be annoying for
the security team in the case of XSS or CSRF vulnerabilities.
I suggest the following actions;
Lart upstream about including only source in their source tarball and
distributing a pre-compressed one separately instead.
Find out which packer upstream are using and get them to switch to a free one.
Remove the packed javascript from the tarball if upstream doesn't do it.
Build the packed javascript in debian/rules using the yahoo compressor
(or another).
--
bye,
pabs
http://wiki.debian.org/PaulWise
Reply to: