Re: [MoM] Using missing-sources directory correctly

[Ian Wallace <iankarlwallace@gmail.com>]

Ahhh good point.  This project has produced quite a few "gotchas" like this.  The custom does mean "a few bits left out" and I was going to place the completely jquery-ui-1.7.1.js in the missing sources (with the correct name of course) and see about removing it later.  The issue really is testing.  Replacing the reference without a in depth knowledge of what I might break seems like a bad idea.  Guess I might have to place the missing-sources reference, complete my packaging exercise that I have been working on with Andreas, and then with the help of upstream start to remove the offensive bits that FTP masters will complain about.

I agree that we shouldn't be duplicating/shipping code that has security flaws in it and I won't have time to patch all the different little versions/files that this project uses.

Thanks for the response.  Can you clarify though just on the semantics of missing-sources - am I supposed to recreate the directory structure and include the source in the correct directory?  I noted that even if I just touch the file (zero byte file) will make the warning go away ... but obviously not satisfying the requirement to ship the source in the package.

cheers
ian

On Thu, Jul 31, 2014 at 1:23 PM, Emilien Klein <emilien+debian@klein.st> wrote:

Hi Ian,

2014-07-31 21:06 GMT+02:00 Ian Wallace <iankarlwallace@gmail.com>:

> I am probably just not looking in the correct location of the documentation
> but it's not obvious to me where one should put missing sources in the
> d/missing-sources directory.
>
> For example, in the package I am working on (OpenEMR) they have lots of
> minified JS from jquery.  I realize the better solution is to eventually
> integrate with which ever version is available in Debian but that's a longer
> term project.  So for the time being lintian is complaining that
> jquery-ui-1.7.1.custom.min.js doesn't have source.

Looking at the name of the file ("custom"), I will express some
serious doubts on DFSG-compliance. There is already debate if a
minified file on it's own is not considered "non-source", I'm not even
thinking about the issues around a custom minified file...

I suppose "custom" means "with bits removed", thus "works with the
full version as well".
The network overhead for a minified js file would be minimal, as it's
just downloaded once and cached after that.
I would not invest time in searching for the upstream sources, or
figuring out d/missing-source, but instead use jquery-ui as packaged
for Debian, available in both minified and full versions.
Just change the references to
"library/js/jquery-ui-1.7.1.custom.min.js" to
"/_javascript_/jquery-ui/jquery-ui.min.js", and have your package depend
on _javascript_-common and libjs-jquery-ui.

Otherwise you'll have to start tracking the jQuery-ui security
information closely, and patch any security fix yourself on the custom
minified file. Quite a headache you're setting yourself up to ;) And
that's even assuming FTP masters let you upload a package with
embedded [source][scratch that, replace by "binary"] from another
project, one that's available in Debian at all.

    +Emilien

> In the source tree its located in:
> library/js/jquery-ui-1.7.1.custom.min.js
>
> Is it correct that I should put the source (the non-minified version once I
> find it) in:
>
> d/missing-source/library/js/jquery-ui-1.7.1.custom.js
>
> Or do I need to match the filename exactly?  I am assuming it's best to
> mimic the directory structure of the missing source to keep things
> organized.
>
> Thanks for any information you can provide.
> ian
>
> --
> Ian Wallace - CCRMC DFM Staff Physician - (c) 303.681.5732

--
To UNSUBSCRIBE, email to debian-med-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/CANqxmqFC+RVV=mshnyPQS4JDW-0v6cRW8JnTbc0y_zaHxSUcqg@mail.gmail.com

--

Ian Wallace - CCRMC DFM Staff Physician - (c) 303.681.5732