Re: [Ganglia-developers] ganglia-web package at risk
On 04/02/14 14:56, Daniel Pocock wrote: On 04/02/14 14:47, Chris Burroughs wrote: I thought the distro anti-bundling stance was paired with a we already have X so you should just depend on it. I'm not sure how this works with javascript. Is there some debian jquery package that could be depended on? There is a jQuery package in Debian, but it is a slightly older version There are various issues that motivate these rules/policies in distributions: - disk space - security updates (better to just have one copy of X to update in one shot, hard to find multiple bundled copies of X and check they all have the latest/necessary security patches) - source - bundling any minified artifact is not consider to be real source code That said, given that every project seems to depend on a different version of jQuery, there is some leniency - Debian accepts bundled copies of some things like jQuery as long as they are not minified. It is perfectly OK to minify them in an installation script, but the source tarball from the Ganglia web site must be 100% readable source code. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736104 I had a quick look at this and found that the jquery-ui stuff is not cleanly available as source because of the way it is built as a custom JavaScript file using the tool here: https://jqueryui.com/download so it is not a quick fix for me to simply drop in uncompressed JavaScript. What can be done is that instead of using the custom method to get jquery-ui, perhaps the full source from here: https://jqueryui.com/resources/download/jquery-ui-1.10.4.zip can be downloaded into the ganglia-web repository (including both the minified and the human readable version) and then the full minified .js file (rather than a custom.min.js file) can be used within ganglia-web Are the ganglia-web developers happy to support that version of jquery-ui? Is there any reason the custom version has to be used? The package has now taken the first step towards being completely dropped from Debian and Ubuntu: http://packages.qa.debian.org/g/ganglia-web.html so it is important that we agree on a solution for 3.5.13 or it will be completely missing from the upcoming Ubuntu trusty release and the Debian 8 release early next year. Regards, Daniel -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] ganglia-web package at risk
That would be fine with me if that is what it takes. Include the full blown Jquery UI. Thanks, Vladimir On 03/03/2014 01:25 PM, Daniel Pocock wrote: On 04/02/14 14:56, Daniel Pocock wrote: On 04/02/14 14:47, Chris Burroughs wrote: I thought the distro anti-bundling stance was paired with a we already have X so you should just depend on it. I'm not sure how this works with javascript. Is there some debian jquery package that could be depended on? There is a jQuery package in Debian, but it is a slightly older version There are various issues that motivate these rules/policies in distributions: - disk space - security updates (better to just have one copy of X to update in one shot, hard to find multiple bundled copies of X and check they all have the latest/necessary security patches) - source - bundling any minified artifact is not consider to be real source code That said, given that every project seems to depend on a different version of jQuery, there is some leniency - Debian accepts bundled copies of some things like jQuery as long as they are not minified. It is perfectly OK to minify them in an installation script, but the source tarball from the Ganglia web site must be 100% readable source code. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736104 I had a quick look at this and found that the jquery-ui stuff is not cleanly available as source because of the way it is built as a custom JavaScript file using the tool here: https://jqueryui.com/download so it is not a quick fix for me to simply drop in uncompressed JavaScript. What can be done is that instead of using the custom method to get jquery-ui, perhaps the full source from here: https://jqueryui.com/resources/download/jquery-ui-1.10.4.zip can be downloaded into the ganglia-web repository (including both the minified and the human readable version) and then the full minified .js file (rather than a custom.min.js file) can be used within ganglia-web Are the ganglia-web developers happy to support that version of jquery-ui? Is there any reason the custom version has to be used? The package has now taken the first step towards being completely dropped from Debian and Ubuntu: http://packages.qa.debian.org/g/ganglia-web.html so it is important that we agree on a solution for 3.5.13 or it will be completely missing from the upcoming Ubuntu trusty release and the Debian 8 release early next year. Regards, Daniel -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] ganglia-web package at risk
On 03/03/14 21:08, Vladimir Vuksan wrote: That would be fine with me if that is what it takes. Include the full blown Jquery UI. I see there is 1.10.2 right now Can I just swap from the custom.min.js file to the full min.js file? Or do you want to try the latest, 1.10.4, before releasing web 3.5.13? -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] ganglia-web package at risk
Let's stick with 1.10.2. Vladimir On 03/03/2014 03:13 PM, Daniel Pocock wrote: On 03/03/14 21:08, Vladimir Vuksan wrote: That would be fine with me if that is what it takes. Include the full blown Jquery UI. I see there is 1.10.2 right now Can I just swap from the custom.min.js file to the full min.js file? Or do you want to try the latest, 1.10.4, before releasing web 3.5.13? -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] ganglia-web package at risk
On 03/03/14 21:27, Vladimir Vuksan wrote: Let's stick with 1.10.2. Done Sources are in a directory called contrib now, it is copied into the ganglia-web dist tarball too -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] ganglia-web package at risk
I thought the distro anti-bundling stance was paired with a we already have X so you should just depend on it. I'm not sure how this works with javascript. Is there some debian jquery package that could be depended on? On 01/31/2014 04:23 AM, Daniel Pocock wrote: Debian is proposing to remove the ganglia-web package because of the pre-compiled/minified jQuery and friends, this would also see us cut from Ubuntu and other derivatives: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736104 These are the files in question: js/jquery-1.9.1.min.js js/jquery-ui-1.10.2.custom.min.js jquery.scrollTo-1.4.2-min.js dash/js/jquery-ui-1.8.14.custom.min.js I'm going to fix this for the next ganglia-web release, I will have to do one of the following things: a) include the uncompressed versions of these files in releases as well and a trivial script for compressing each of them during installation of ganglia-web. Whenever somebody adds some new JS, they must add the unminified version and update the script. This may be the better approach if we really need a specific version of each JS file. b) remove the jQuery.js from the repository/release tarballs and include some script to download it for those people who don't have it in their system (this would make our tarballs smaller) Does anybody have any preference for either option? Can anybody comment on the exact versions we require, do we really need jQuery 1.9.1 for instance or can Debian users just symlink to the pre-packaged jQuery v1.7.2? Big distributions are becoming more and more pro-active about this, using scripts that scan all their packages and start the process to evict those with binary/minified artifacts. I realize this is slightly more tedious for web developers but it means everybody can have 100% certainty that 100% of the files on their system can be traced back to original source. If distributions didn't enforce this, they would end up full of malware like certain shareware sites and app stores. -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers -- Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] ganglia-web package at risk
On 04/02/14 14:47, Chris Burroughs wrote: I thought the distro anti-bundling stance was paired with a we already have X so you should just depend on it. I'm not sure how this works with javascript. Is there some debian jquery package that could be depended on? There is a jQuery package in Debian, but it is a slightly older version There are various issues that motivate these rules/policies in distributions: - disk space - security updates (better to just have one copy of X to update in one shot, hard to find multiple bundled copies of X and check they all have the latest/necessary security patches) - source - bundling any minified artifact is not consider to be real source code That said, given that every project seems to depend on a different version of jQuery, there is some leniency - Debian accepts bundled copies of some things like jQuery as long as they are not minified. It is perfectly OK to minify them in an installation script, but the source tarball from the Ganglia web site must be 100% readable source code. -- Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] ganglia-web package at risk
On 31/01/14 16:01, Vladimir Vuksan wrote: I would go with option a). I am fine with this approach. OK, I'll sort it out over the next few days Another thing to consider is to have the packager download problematic JS files and download them directly of jquery.com. Daniel can that be done ? That creates more work for the person making the package: Essentially, the packager has to a) download the tarball created from the tag in github b) remove stuff c) add stuff (unless it is available from other packages, like jquery) d) create a new tarball While some people do that for their packages, the extra effort involved in doing this means there is less time to spend on other work that might help improve this or other free software, so it is better to just come up with a solution for the official ganglia-web tarballs to be compliant -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] ganglia-web package at risk
What I was suggesting is to add dynamic download automatically. Can't bootstrap pull external files ? On 01/31/2014 10:06 AM, Daniel Pocock wrote: Another thing to consider is to have the packager download problematic JS files and download them directly of jquery.com. Daniel can that be done ? That creates more work for the person making the package: Essentially, the packager has to a) download the tarball created from the tag in github b) remove stuff c) add stuff (unless it is available from other packages, like jquery) d) create a new tarball While some people do that for their packages, the extra effort involved in doing this means there is less time to spend on other work that might help improve this or other free software, so it is better to just come up with a solution for the official ganglia-web tarballs to be compliant -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
Re: [Ganglia-developers] ganglia-web package at risk
On 31/01/14 16:10, Vladimir Vuksan wrote: What I was suggesting is to add dynamic download automatically. Can't bootstrap pull external files ? That depends If you want to run a bootstrap script that creates a release tarball and uploads it to some download page, then the script can pull external files However, if you want the github auto-generated tarballs to be the official release tarballs, then github does not have the ability to run the script when creating the tarball, it just tars up the contents of the repository as they are If the user has to run a script to download stuff after getting the tarball then that is not permitted in Debian or most other distributions: they all have a rule stating that users should be able to rebuild all packages from source even if they have no internet connection. -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk ___ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers