Bug#847105: wok source updated

[Andreas Henriksson <andreas@fatal.se>]

Hello Lucio Correia,

On Thu, Dec 15, 2016 at 02:58:46PM -0200, Lucio Correia wrote:
> Breno,
> 
> I've upload a new package with requested fixes.
> 
> dget -x https://mentors.debian.net/debian/pool/main/w/wok/wok_2.3.0-1.dsc
> 
> Let me know if anything else is necessary for wok.

I took a quick look at this package and here are a few notes I made.
I don't personally intend to sponsor you as this seems to be outside
my expertice.

- Seems like you've made an effort both to remove and use/depend
  on packaged javascript components like jquery etc, as well as 
  adding missing sources for the minified bundled things.
  This should avoid the need for repackaging the orig tarball
  to remove source-less files, but at the same time it's a bit hard
  to check if you catched everything. Also, while I guess it's not
  strictly forbidden to bundle javascripts that aren't already packaged
  separately I think it's atleast frowned upon. You might want to
  consider joining in on the javascript packaging efforts and get
  (all of) your javascript dependencies packaged separately.

- postinst pokes around in /etc and that is always a source for finding
  policy violating / release critical bugs. For example you check
  only for configure stage and enables the nginx site. This means
  you'll likely trigger on package upgrades and reenable a site that
  the local administrator might have disabled. Fix would likely
  be to check $2 for version to detect if configure is running under
  upgrade or newly-installed-package.

- postrm removes files without checking ownership.
  I think it's ok for the purge action to be brutal, but the remove
  action should under no conditions cause harm to potentially locally
  configured things. For example you better check if sites-enable/wok
  is a symlink before removing it. The local admin might have
  replaced any of the files you installed under /etc with his own
  so removing them without very careful checking is likely to not
  end well.

- consider dropping the conditional clauses for invoke-rc.d in both
  your postinst and postrm. The invoke-rc.d has been around for many
  releases and should always be available (or it would be a bug in
  the base system). I'm aware policy contains similar to what you're
  doing but policy is simply severely outdated. Directly invoking
  an init.d script can be potentially harmful and should never
  be done in todays system. (Policy even explicitly forbids it.)

- 0001-Do-not-install-firewalld-conf-in-Debian.patch
  why? Please always document why.
  (fwiw, firewalld is available in debian also.)

- 0001-Rename-wokd-to-wok.patch
  why?

- 0001-Update-Datatables-Switch-and-Editable-libraries.patch 
    patch is full of trailing whitespace addition noise.

- 0005-Add-nginx.service-as-wokd.service-dependency.patch
  Executing kill in ExecStop is bad as it's async. This is bad
  and potentially causes 'restart' to fail as 'stop' action
  will not wait for stop to actually finish.


HTH.

Regards,
Andreas Henriksson

PS. you might want to block ginger RFS on ginger-base RFS and
    ginger-base RFS on wok RFS.