Re: Bug#814589: otrs2: source-less files; undocumented copyrights/licenses; abuse of lintian-overrides; systematic DFSG violations
Am 15.02.2016 um 14:14 schrieb Dmitry Smirnov:
I am aware of those issues, that is
also why the embedded-code-copies bug is marked as "need help".
And this is why I provided some hints how you can address those problems in
my bug report. This is why I wrote to you after when I stabilised "ckeditor"
so you could use it.
I can use it, until ckeditor OR otrs upstreams broke it again, like with
jquery.
Also it would prevent backports of otrs to jessie.
and mostly it is not possible to replace the
libjs thirdparty foo with the packages from Debian, mostly because of
version missmatches.
Hold on, you are answering the least important concern. There are cases when
replacing bundled library with system one could be fragile or not suitable.
But you can't ship and use untrusted pre-minified upstream files with who-
knows-what...
You reported a very general bug about the whole javascript mess.
Replacing ckeditor will not solve the other problems or all those
minified files and so on.
Nobody is willed (or in my case able) to fix those
JS issues, which appear here and then with different versions in
different places (ugly JS sh..).
At least I gave you "ckeditor" didn't I? That's one less problem to deal
with...
See above.
If everything is simple for you and just replacements have to be done
(which is not the case) then I would be happy to welcome you on the
otrs-packaging board.
It is simple enough. Although some system libraries should be safe to use you
do not have to use only system libraries. But you have to get rid of non-DFSG
precompiled binaries.
I appreciate your invitation but unfortunately I have no time for otrs.
IMO minified files are not as evil as the embedded libs, which should be
addressed first.
Just a short example:
With 5.0.1-2 I had to drop (and inform the security team) about removing
again the use of the libjs-jquery* packages from Debian, because of #802938
I agree that using "libjs-jquery-ui" package of different version than
bundled one is fragile.
Though with "libjs-jquery" you'd probably be safe as long as you do not cross
1.9.0 boundary. However you must not use pre-minified "jquery-ui.js" as it is
shipped in orig.tar. As very minimum you have to replace it with original
uncompressed version that you have to ship in "debian/missing-sources" and
ideally report pre-built binaries as bug to upstream. If you believe in
minification then you can minify on build time. You can not trust source-
less, unreadable, unmodifiable pre-built binaries. I suppose lintian already
warned you long before I did.
I wrote the following wiki page that I use when I make upstream bug reports
about minified binaries -- I hope you might find it useful:
https://wiki.debian.org/onlyjob/no-minification
Investing work in removing those files will not realy help and just
burden the whole packaging and eat time to fix realy serious issues -
like embedded libs.
@Debian release team:
I would like to request a strech ignore for this bug. I am aware of
these problems, but I am not able to fix them nor did anyone ever
offered me help with this JS foo. If it would not be possible I had to
resign otrs packaging in Debian.
--
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer
Blog: http://www.linux-dev.org/
E-Mail: pmatthaei@debian.org
patrick@linux-dev.org
*/
Reply to: