Hi,
On 2026-02-01 17:53, Wouter Verhelst wrote:
So, the issue here is that sreview-web doesn't actually directly use
JSON::Validator; instead, it uses Mojolicious::Plugin::OpenAPI, and
*that* uses JSON::Validator.
The problem is that Mojolicious::Plugin::OpenAPI does not allow you to
select a spec URL. It hardcodes the 2019-04-02 URL, and this cannot be
configured.
(it does allow creating a JSON::Validator::Schema::OpenAPIv3 object that
you can then pass to the validator parameter of
Mojolicious::Plugin::OpenAPI, and that does allow you to specify a spec
URL, but that is ignored. Additionally, it allows you to set a schema
URL to the value "v3", which I tried to set to the correct schema URL,
but similarly, that also does not result in the correct URL being used)
All this means that until this bug is fixed in Debian, effectively,
Mojolicious::Plugin::OpenAPI is completely broken for any application
using OpenAPIv3 specifications (which includes SReview).
I see, thanks for the explanation.
[skip options from
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091856#17]
As sreview-web is my own code, option 1 should theoretically not be too
hard. But it's just *not possible* to do it at that level (we should be
able to patch Mojolicious::Plugin::OpenAPI though).
As we are able to ship the OpenAPI specifications in the
openapi-specification tarball, however, I just don't see why it's not
possible to ship them in libjson-validator-perl? I mean, sure, the files
in the JSON::Validator tarball don't have licenses attached, but the
licenses exist, we just need to get them from elsewhere -- and since
openapi-specification exists in Debian main, clearly it's free software.
I have just glanced over the ~20 cache files in JSON::Validator 5.15 and
all of them seem to come from either json:api or OpenAPI. Thus let's
stop excluding the cache files and solve this issue for good. I will
start working on it.
Best,
Andrius
