Bug#1034196: unblock: openrefine/3.6.2-2

To: Markus Koschany <apo@debian.org>, 1034196@bugs.debian.org
Subject: Bug#1034196: unblock: openrefine/3.6.2-2
From: Paul Gevers <elbrus@debian.org>
Date: Thu, 20 Apr 2023 18:07:27 +0200
Message-id: <[🔎] 16a57359-99a0-ce80-7b95-7ab99da3e317@debian.org>
Reply-to: Paul Gevers <elbrus@debian.org>, 1034196@bugs.debian.org
In-reply-to: <[🔎] ebf6926c3ebe9ef51aaea859bb64182eba8f99d2.camel@debian.org>
References: <168116374402.1139309.6267584788562364350.reportbug@faye> <168116374402.1139309.6267584788562364350.reportbug@faye> <[🔎] 7f7bc07f-f03d-ac18-2618-ca0947fb04a5@debian.org> <168116374402.1139309.6267584788562364350.reportbug@faye> <[🔎] ebf6926c3ebe9ef51aaea859bb64182eba8f99d2.camel@debian.org> <168116374402.1139309.6267584788562364350.reportbug@faye>

Hi Markus,

On 20-04-2023 15:21, Markus Koschany wrote:

In version 3.5.x upstream included all Javascript files in the original source
tarball but also shipped some minified files without the unminified sources.


[...]

This was a missing piece. At least it explains how you got where you arenow.

Since I already followed the Debian Policy and included the missing sources in
debian/missing-sources, I felt that shipping the 3rdparty directory in
debian/missing-sources/3rdparty would be a good intermediate solution.


But you added a more files than you have in testing (including jquery.js).

If you
insist I can repack the tarball, add the 3rdparty directory and remove it from
debian/missing-sources but in the end it would not make any difference.

Huh? I wasn't asking you to do that. I was asking you to use packagedbinaries as a dependency.

Openrefine is a desktop application which only runs on your own computer.


You know, now I know. Does the security team also know? Should they really?

If
you insist I can depend on libjs-jquery and replace the local copy with a
symlink but I feel this would be an example of over-engineering without any
real value to our users in this specific case.

That argument holds for a lot of things we do. What I try to say is thatthere's a price we pay in our community too by not doing it. In thiscase: tracking embedded versions. Because of the popularity of thingslike jquery they are embedded a lot and we're trying to track them *and*remove them. Just to clear, I wasn't *only* talking about jquery.js, butalso about the others that are covered by binaries in our archive. Evenif upstream added stuff back, I would still recommend you to link (anddepend on) the files shipped in e.g. libjs-jquery. I know what I talkingabout, my upstream cacti ships a lot of embedded libraries too; I do mybest to remove things that we already ship in Debian. My upstreamcomplained once in a while that my versions are wrong; I still believeit's the right thing to do in a distribution like Debian. I think theyare starting to see the value of our side too.


Lintian is telling you that too:
https://udd.debian.org/lintian/?packages=openrefine

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#1034196: unblock: openrefine/3.6.2-2
  - From: Markus Koschany <apo@debian.org>

References:
- Bug#1034196: unblock: openrefine/3.6.2-2
  - From: Paul Gevers <elbrus@debian.org>
- Bug#1034196: unblock: openrefine/3.6.2-2
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Bug#1034636: marked as done (unblock: sgt-puzzles/20230122.806ae71-2)
Next by Date: Processed: unblock: spamassassin/4.0.0-5
Previous by thread: Bug#1034196: unblock: openrefine/3.6.2-2
Next by thread: Bug#1034196: unblock: openrefine/3.6.2-2
Index(es):
- Date
- Thread