a package of mine, sqlkit (currently only in experimental) provides a
documentation in html format which, when browsed, tries to use several
javacript applets which the browser retrieves from remote. Though that's
a fairly common behaviour for most of the webpages we daily browse, I
guess if I should disable that. In particular:
1) some applets are separately packaged: it looks trivial to me that I
will patch the docs generation to use them instead
2) a .js (AnythingSlider) is not included in the tarball only because
its license was unknown (now it is clarified as GPL), nor is it packaged
separately. It will presumably be included in the next upstream release
of sqlkit. For the moment, it and its files are retrieved from the
sqlkit official page. I can't change that just with a patch, since also
a couple of png images are retrieved. Well, I could introduce the .js as
patch _and_ still retrieve the pngs.
3) Since the docs are used also on the project website, the Google
Analytics .js is retrieved for tracking. This should be maybe also
considered as a privacy threat, though I found no mention to this kind
of problems in the Debian policy.
Maybe my question looks a bit rhetoric, but I just want to be sure I
don't patch more than it's strictly required: do I have, in the end, to
remove all the references to remote .js?