Ahhh good point. This project has produced quite a few "gotchas" like this. The custom does mean "a few bits left out" and I was going to place the completely jquery-ui-1.7.1.js in the missing sources (with the correct name of course) and see about removing it later. The issue really is testing. Replacing the reference without a in depth knowledge of what I might break seems like a bad idea. Guess I might have to place the missing-sources reference, complete my packaging exercise that I have been working on with Andreas, and then with the help of upstream start to remove the offensive bits that FTP masters will complain about.
I agree that we shouldn't be duplicating/shipping code that has security flaws in it and I won't have time to patch all the different little versions/files that this project uses. Thanks for the response. Can you clarify though just on the semantics of missing-sources - am I supposed to recreate the directory structure and include the source in the correct directory? I noted that even if I just touch the file (zero byte file) will make the warning go away ... but obviously not satisfying the requirement to ship the source in the package. cheers ian On Thu, Jul 31, 2014 at 1:23 PM, Emilien Klein <[email protected]> wrote: > Hi Ian, > > 2014-07-31 21:06 GMT+02:00 Ian Wallace <[email protected]>: > > I am probably just not looking in the correct location of the > documentation > > but it's not obvious to me where one should put missing sources in the > > d/missing-sources directory. > > > > For example, in the package I am working on (OpenEMR) they have lots of > > minified JS from jquery. I realize the better solution is to eventually > > integrate with which ever version is available in Debian but that's a > longer > > term project. So for the time being lintian is complaining that > > jquery-ui-1.7.1.custom.min.js doesn't have source. > > Looking at the name of the file ("custom"), I will express some > serious doubts on DFSG-compliance. There is already debate if a > minified file on it's own is not considered "non-source", I'm not even > thinking about the issues around a custom minified file... > > I suppose "custom" means "with bits removed", thus "works with the > full version as well". > The network overhead for a minified js file would be minimal, as it's > just downloaded once and cached after that. > I would not invest time in searching for the upstream sources, or > figuring out d/missing-source, but instead use jquery-ui as packaged > for Debian, available in both minified and full versions. > Just change the references to > "library/js/jquery-ui-1.7.1.custom.min.js" to > "/javascript/jquery-ui/jquery-ui.min.js", and have your package depend > on javascript-common and libjs-jquery-ui. > > Otherwise you'll have to start tracking the jQuery-ui security > information closely, and patch any security fix yourself on the custom > minified file. Quite a headache you're setting yourself up to ;) And > that's even assuming FTP masters let you upload a package with > embedded [source][scratch that, replace by "binary"] from another > project, one that's available in Debian at all. > > +Emilien > > > In the source tree its located in: > > library/js/jquery-ui-1.7.1.custom.min.js > > > > Is it correct that I should put the source (the non-minified version > once I > > find it) in: > > > > d/missing-source/library/js/jquery-ui-1.7.1.custom.js > > > > Or do I need to match the filename exactly? I am assuming it's best to > > mimic the directory structure of the missing source to keep things > > organized. > > > > Thanks for any information you can provide. > > ian > > > > -- > > Ian Wallace - CCRMC DFM Staff Physician - (c) 303.681.5732 > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: > https://lists.debian.org/CANqxmqFC+RVV=mshnypqs4jdw-0v6crw8jntbc0y_zahxsu...@mail.gmail.com > > -- Ian Wallace - CCRMC DFM Staff Physician - (c) 303.681.5732
