Re: Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Aurélien COUDERC]

Hi Sebastian,

Le mardi 20 décembre 2022, 18:04:50 CET Sebastien Chavaux a écrit :
> Hello Aurelien :-)
> 
> For the integration of Ghostwriter in the scope of the Qt/KDE packaging
> team, I agree, no worries, I also had the case at openSUSE and I'm looking
> how I could in the following days, pass all that on to Debian as well.

thanks, I’ve moved the Salsa repo after you granted me the necessary rights.
Feel free to check that you still have access to the repo, or complain to me 
directly if not.

> I'll try to free up time to make the changes but it's not said. I don't
> have any Debian around right now.

That needs fixing.
Installing Debian is relatively straightforward these days, you know. ^^

Joke aside I’ve made the changes I proposed below and uploaded the package.
Thank you for working on it until now, I hope I’ll see you contributing to 
Debian again !


Happy hacking,
--
Aurélien


> Le mar. 20 déc. 2022 à 13:30, Aurélien COUDERC  a écrit :
> 
> > To follow up on the RFS discussion:
> > - MathJax3 is currently not packaged so it’s fine to keep it vendored
> > (3rdparty) for now. We can migrate to the Debian package once it’s
> > available.
> > - The source-is-missing lintian tags are false positives to me (if lintian
> > still really emits them, I haven’t checked). The folders
> > 3rdparty/{MathJax,react} contain valid, human modifiable source files.
> > Please add a comment in the lintian-overrides file to explain so.
> > - You should use the Files-Excluded directive in debian/copyright [1] to
> > describe which files should be removed from the upstream source. That
> > should be the debian/ folder + 3rd party libraries already available in
> > Debian.
> > - I would prefer the +ds suffix instead of +dfsg, +dfsg is more
> > appropriate for cases where we remove upstream sources due to licensing
> > concerns which is not the case here IIUC.
> > - uscan --download-current-version fails, it should work from a clean
> > clone of the repo (the uupdate is not required unless I’m missing
> > something), and…
> > - it would be preferable for debian/watch to target the invent.kde.org
> > repo which is now the reference repo, you have examples for GitLab tags
> > here [2].
> > - In the git packaging repo you have the « source » folder next to the
> > « debian » folder, it should be *inside* it.
> > - source/options can be removed.
> > - Remove debian/compat and replace the debhelper (>= 11) build dependency
> > by a debhelper-compat (= 13) build dep.
> > - Remove debian/git-build-recipe.manifest ? I don’t know what it’s for so
> > it’s probably not useful. :)
> >
> >
> > Feel free to ping me or the team on IRC about any of the above.
> >
> >
> > [0] https://salsa.debian.org/qt-kde-team/extras
> > [1] https://wiki.debian.org/UscanEnhancements
> > [2] https://wiki.debian.org/debian/watch#Gitlab

Re: Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Sebastien Chavaux]

Hello Aurelien :-)

For the integration of Ghostwriter in the scope of the Qt/KDE packaging
team, I agree, no worries, I also had the case at openSUSE and I'm looking
how I could in the following days, pass all that on to Debian as well.

As for gitlab, I have trouble communicating with it, I can't even do that
from my terminal anymore, I have a legal problem, so I do everything from
the risky web interface. I more or less gave up on the git business. But I
will give you the rights.

I haven't worked with the repository long enough, I work directly from home
and a folder. I would like to help in other packages but again I stumble on
the use of gitlab.

I'll try to free up time to make the changes but it's not said. I don't
have any Debian around right now.

Best regards.

Le mar. 20 déc. 2022 à 13:30, Aurélien COUDERC  a écrit :

> Le mercredi 12 octobre 2022, 11:41:50 CET Sebastien Chavaux a écrit :
> > Absolutely, I'm so in my head that I don't see what is the simplest...
>
> Dear Sebastien,
>
> as Ghostwriter has been onboarded as a KDE Project, I’d like to offer to
> integrate the package into the perimeter of the Qt/KDE Packaging Team.
>
> We have an « extras » group [0] for packages that are related to KDE but
> not part of the main KDE Frameworks / Plasma / Gear releases that I think
> would be suitable.
>
> How we would do this is :
> - give me (couc...@debian.org) or one of the team members owner access to
> your packaging repo so we can move it to the qt-kde-team/extras group
> - change the Maintainer field to : Debian KDE Extras Team <
> pkg-kde-ext...@alioth-lists.debian.net>
> - put yourself in the Uploaders field
>
> What you would get :
> - you keep your usual access to the repo and can work on the package as
> you used to
> - team members and myself would be considered welcome to contribute to
> that repository too
> - it would gives additional scrutiny to the package that would show on our
> DDPO dashboard
> - you’re welcome to help on other packages of the team :)
>
> Whether you’re interested or not, you’re welcome to hang out on the
> #debian-qt-kde on Debian’s IRC for help and feedback or upload sponsorship.
>
>
> To follow up on the RFS discussion:
> - MathJax3 is currently not packaged so it’s fine to keep it vendored
> (3rdparty) for now. We can migrate to the Debian package once it’s
> available.
> - The source-is-missing lintian tags are false positives to me (if lintian
> still really emits them, I haven’t checked). The folders
> 3rdparty/{MathJax,react} contain valid, human modifiable source files.
> Please add a comment in the lintian-overrides file to explain so.
> - You should use the Files-Excluded directive in debian/copyright [1] to
> describe which files should be removed from the upstream source. That
> should be the debian/ folder + 3rd party libraries already available in
> Debian.
> - I would prefer the +ds suffix instead of +dfsg, +dfsg is more
> appropriate for cases where we remove upstream sources due to licensing
> concerns which is not the case here IIUC.
> - uscan --download-current-version fails, it should work from a clean
> clone of the repo (the uupdate is not required unless I’m missing
> something), and…
> - it would be preferable for debian/watch to target the invent.kde.org
> repo which is now the reference repo, you have examples for GitLab tags
> here [2].
> - In the git packaging repo you have the « source » folder next to the
> « debian » folder, it should be *inside* it.
> - source/options can be removed.
> - Remove debian/compat and replace the debhelper (>= 11) build dependency
> by a debhelper-compat (= 13) build dep.
> - Remove debian/git-build-recipe.manifest ? I don’t know what it’s for so
> it’s probably not useful. :)
>
>
> Feel free to ping me or the team on IRC about any of the above.
>
>
> [0] https://salsa.debian.org/qt-kde-team/extras
> [1] https://wiki.debian.org/UscanEnhancements
> [2] https://wiki.debian.org/debian/watch#Gitlab
>
>
> Thanks for your response & cheers,
> --
> Aurélien, on behalf of the Qt/KDE Packaging Team
>
>
>

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Aurélien COUDERC]

Le mercredi 12 octobre 2022, 11:41:50 CET Sebastien Chavaux a écrit :
> Absolutely, I'm so in my head that I don't see what is the simplest...

Dear Sebastien,

as Ghostwriter has been onboarded as a KDE Project, I’d like to offer to 
integrate the package into the perimeter of the Qt/KDE Packaging Team.

We have an « extras » group [0] for packages that are related to KDE but not 
part of the main KDE Frameworks / Plasma / Gear releases that I think would be 
suitable.

How we would do this is :
- give me (couc...@debian.org) or one of the team members owner access to your 
packaging repo so we can move it to the qt-kde-team/extras group
- change the Maintainer field to : Debian KDE Extras Team 

- put yourself in the Uploaders field

What you would get :
- you keep your usual access to the repo and can work on the package as you 
used to
- team members and myself would be considered welcome to contribute to that 
repository too
- it would gives additional scrutiny to the package that would show on our DDPO 
dashboard
- you’re welcome to help on other packages of the team :)

Whether you’re interested or not, you’re welcome to hang out on the 
#debian-qt-kde on Debian’s IRC for help and feedback or upload sponsorship.


To follow up on the RFS discussion:
- MathJax3 is currently not packaged so it’s fine to keep it vendored 
(3rdparty) for now. We can migrate to the Debian package once it’s available.
- The source-is-missing lintian tags are false positives to me (if lintian 
still really emits them, I haven’t checked). The folders 
3rdparty/{MathJax,react} contain valid, human modifiable source files. Please 
add a comment in the lintian-overrides file to explain so.
- You should use the Files-Excluded directive in debian/copyright [1] to 
describe which files should be removed from the upstream source. That should be 
the debian/ folder + 3rd party libraries already available in Debian.
- I would prefer the +ds suffix instead of +dfsg, +dfsg is more appropriate for 
cases where we remove upstream sources due to licensing concerns which is not 
the case here IIUC.
- uscan --download-current-version fails, it should work from a clean clone of 
the repo (the uupdate is not required unless I’m missing something), and…
- it would be preferable for debian/watch to target the invent.kde.org repo 
which is now the reference repo, you have examples for GitLab tags here [2].
- In the git packaging repo you have the « source » folder next to the « debian 
» folder, it should be *inside* it.
- source/options can be removed.
- Remove debian/compat and replace the debhelper (>= 11) build dependency by a 
debhelper-compat (= 13) build dep.
- Remove debian/git-build-recipe.manifest ? I don’t know what it’s for so it’s 
probably not useful. :)


Feel free to ping me or the team on IRC about any of the above.


[0] https://salsa.debian.org/qt-kde-team/extras
[1] https://wiki.debian.org/UscanEnhancements
[2] https://wiki.debian.org/debian/watch#Gitlab


Thanks for your response & cheers,
--
Aurélien, on behalf of the Qt/KDE Packaging Team

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Bastian Germann]

Control: tags -1 moreinfo

Please untag moreinfo when you are done with the requested changes.

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Bastian Germann]

With the new upload's changelog you claim:
"vulnerability patched in 3rdparty/cmark-gfm CVE-2022-24724, CVE-2022-39209"

1) I do not see the +dfsg version indication represented - no repack is done.
   If you do not repack please remove the +dfsg and tell if you have verified 
the uglified
   JS to be represented in the included MathJax src.

2) I would have expected this to contain a patch that fixes CVE-2022-39209. 
There is no patch.
   If you cannot afford to fix this, remove the identifier from the changelog.
   But I will only sponsor this package when this is fixed.

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Sebastien Chavaux]

Absolutely, I'm so in my head that I don't see what is the simplest...

Le mar. 11 oct. 2022 à 21:50, Nicholas D Steeves  a écrit :

> Sebastien Chavaux  writes:
>
> > it's a bit of a mess, I made changes, in debian/copyright, unfortunately
> it
> > makes build errors:
> > *** No rule to make target '3rdparty/MathJax/bin/startup.js', needed by
> > 'build/release/qrc_resources.cpp'.
> > Stop.
> > make[1]: *** Waiting for unfinished jobs
> > make[1]: Leaving directory '/build/ghostwriter-2.1.6+dfsg'
> > dh_auto_build: error: make -j6 returned exit code 2
> > make: *** [debian/rules:6: build] Error 2
> > dpkg-buildpackage: error: debian/rules build subprocess returned exit
> > status 2
> > I: copying local configuration
> > E: Failed autobuilding of package
> >
> >
>
> Isn't libjs-mathjax MathJax2, and doesn't Ghostwriter needs MathJax3,
> which is incompatible with MathJax2?
>
>
> https://github.com/KDE/ghostwriter/blob/master/3rdparty/MathJax/src/package.json
>
> Here is the RFP bug for MathJax3 for anyone who is interested in
> packaging this important javascript library:
> https://bugs.debian.org/950424
>
> Regards,
> Nicholas
>

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Nicholas D Steeves]

Sebastien Chavaux  writes:

> it's a bit of a mess, I made changes, in debian/copyright, unfortunately it
> makes build errors:
> *** No rule to make target '3rdparty/MathJax/bin/startup.js', needed by
> 'build/release/qrc_resources.cpp'.
> Stop.
> make[1]: *** Waiting for unfinished jobs
> make[1]: Leaving directory '/build/ghostwriter-2.1.6+dfsg'
> dh_auto_build: error: make -j6 returned exit code 2
> make: *** [debian/rules:6: build] Error 2
> dpkg-buildpackage: error: debian/rules build subprocess returned exit
> status 2
> I: copying local configuration
> E: Failed autobuilding of package
>
>

Isn't libjs-mathjax MathJax2, and doesn't Ghostwriter needs MathJax3,
which is incompatible with MathJax2?

  
https://github.com/KDE/ghostwriter/blob/master/3rdparty/MathJax/src/package.json

Here is the RFP bug for MathJax3 for anyone who is interested in
packaging this important javascript library:
https://bugs.debian.org/950424

Regards,
Nicholas


signature.asc
Description: PGP signature

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Sebastien Chavaux]

>
> For the 3rdparty/MathJax/bin/* files, there seem to be source files in
> 3rdparty/MathJax/src/*. Have you tried to build that
> 3rdparty/MathJax/bin/* directory yourself and have you checked out if
> you can replace the whole whing with libjs-mathjax?



it's a bit of a mess, I made changes, in debian/copyright, unfortunately it
makes build errors:
*** No rule to make target '3rdparty/MathJax/bin/startup.js', needed by
'build/release/qrc_resources.cpp'.
Stop.
make[1]: *** Waiting for unfinished jobs
make[1]: Leaving directory '/build/ghostwriter-2.1.6+dfsg'
dh_auto_build: error: make -j6 returned exit code 2
make: *** [debian/rules:6: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit
status 2
I: copying local configuration
E: Failed autobuilding of package





Le mar. 11 oct. 2022 à 02:44, Wookey  a écrit :

> On 2022-10-10 23:56 +0200, Sebastien Chavaux wrote:
> >Good evening;
> >I set build dependency in debian/control file "node-react" and
> >"libs-mathjax". For now and to test if the package builds well, I
> removed
> >the 3rdparty/MathJax/ and 3rdparty/react/ sources.  It builds and
> works
> >well that way. What would be best next, remove those two folders from
> >sources, leave them but ignore them, or whatever?  How should I do the
> >thing?
>
> Either complies with policy.
>
> There is nothing wrong with the 3rdparty stuff from a copyright
> POV. However, I prefer to remove it as it often makes a dramatically
> smaller source package, and avoids accidental regressions (to using
> the embedded copy) in later updates. It's good practice to adjust the
> version number to show that the tarball has been repacked from what
> upstream released.
>
> Just put 3rdparty into files-excluded: in the debian/copyright file, and
> setup up the watch file to repack/rename.
> https://wiki.debian.org/Javascript/Repacking
> https://wiki.debian.org/UscanEnhancements
>
> Wookey
> --
> Principal hats:  Debian, Wookware, ARM
> http://wookware.org/
>


changelog
Description: Binary data


watch
Description: Binary data


copyright
Description: Binary data


control
Description: Binary data

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Sebastien Chavaux]

Many thanks Wookey.

However, I searched, moreover with an example (Pelican since a theme is
removed from it in this way) but my search never gave me this page. I will
have to look carefully at all the pages of the documentation.

You are goldmines of knowledge!

Le mar. 11 oct. 2022 à 02:44, Wookey  a écrit :

> On 2022-10-10 23:56 +0200, Sebastien Chavaux wrote:
> >Good evening;
> >I set build dependency in debian/control file "node-react" and
> >"libs-mathjax". For now and to test if the package builds well, I
> removed
> >the 3rdparty/MathJax/ and 3rdparty/react/ sources.  It builds and
> works
> >well that way. What would be best next, remove those two folders from
> >sources, leave them but ignore them, or whatever?  How should I do the
> >thing?
>
> Either complies with policy.
>
> There is nothing wrong with the 3rdparty stuff from a copyright
> POV. However, I prefer to remove it as it often makes a dramatically
> smaller source package, and avoids accidental regressions (to using
> the embedded copy) in later updates. It's good practice to adjust the
> version number to show that the tarball has been repacked from what
> upstream released.
>
> Just put 3rdparty into files-excluded: in the debian/copyright file, and
> setup up the watch file to repack/rename.
> https://wiki.debian.org/Javascript/Repacking
> https://wiki.debian.org/UscanEnhancements
>
> Wookey
> --
> Principal hats:  Debian, Wookware, ARM
> http://wookware.org/
>

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Wookey]

On 2022-10-10 23:56 +0200, Sebastien Chavaux wrote:
>Good evening;
>I set build dependency in debian/control file "node-react" and
>"libs-mathjax". For now and to test if the package builds well, I removed
>the 3rdparty/MathJax/ and 3rdparty/react/ sources.  It builds and works
>well that way. What would be best next, remove those two folders from
>sources, leave them but ignore them, or whatever?  How should I do the
>thing?

Either complies with policy.

There is nothing wrong with the 3rdparty stuff from a copyright
POV. However, I prefer to remove it as it often makes a dramatically
smaller source package, and avoids accidental regressions (to using
the embedded copy) in later updates. It's good practice to adjust the
version number to show that the tarball has been repacked from what
upstream released.

Just put 3rdparty into files-excluded: in the debian/copyright file, and setup 
up the watch file to repack/rename.
https://wiki.debian.org/Javascript/Repacking
https://wiki.debian.org/UscanEnhancements

Wookey
-- 
Principal hats:  Debian, Wookware, ARM
http://wookware.org/


signature.asc
Description: PGP signature

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Sebastien Chavaux]

Good evening;

I set build dependency in debian/control file "node-react" and
"libs-mathjax". For now and to test if the package builds well, I removed
the 3rdparty/MathJax/ and 3rdparty/react/ sources. It builds and works well
that way. What would be best next, remove those two folders from sources,
leave them but ignore them, or whatever? How should I do the thing?

Thanks.

Le lun. 10 oct. 2022 à 17:30, Sebastien CHAVAUX  a
écrit :

> Hello, Thank you for the advice, precisely I'm curious, I would be
> interested in replacing all his "needs" of the "3rdparty" file by what is
> available in the Debian repositories, is this possible? How should I go
> about it? I just have to name them in the debian/control file as
> "Build-Depends"?
> Le 08/10/2022 à 20:47, Bastian Germann a écrit :
>
> Yes, everything is from the upstream tarball.
> The files that lintian complains about are "uglified" JavaScript files
> which we do not accept as source in Debian.
>
> For the 3rdparty/MathJax/bin/* files, there seem to be source files in
> 3rdparty/MathJax/src/*. Have you tried to build that 3rdparty/MathJax/bin/*
> directory yourself and have you checked out if you can replace the whole
> whing with libjs-mathjax?
>
>

Re: Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Wookey]

On 2022-10-10 17:30 +0200, Sebastien CHAVAUX wrote:
>Hello,  Thank you for the advice, precisely I'm curious, I would be
>interested in replacing all his "needs" of the "3rdparty" file by what is
>available in the Debian repositories, is this possible?

It is recommended where possible.

> How should I go
>about it? I just have to name them in the debian/control file as
>"Build-Depends"?

Ideally, that is all that is required. You may have to adjust internal paths to 
make sure that the system version (in /usr/share/javascript) is used 
(referred-to as http://localhost/javascript/)

If that version is too old then investigate if it can be updated (without 
breaking other depending packages)

If the package is not yet present then ideally package that too. 

Info here: https://wiki.debian.org/Javascript


Wookey
-- 
Principal hats:  Debian, Wookware, ARM
http://wookware.org/


signature.asc
Description: PGP signature

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Sebastien CHAVAUX]

Hello,Thank you for the advice, precisely I'm curious, I would be 
interested in replacing all his "needs" of the "3rdparty" file by what 
is available in the Debian repositories, is this possible? How should I 
go about it? I just have to name them in the debian/control file as 
"Build-Depends"?


Le 08/10/2022 à 20:47, Bastian Germann a écrit :

Yes, everything is from the upstream tarball.
The files that lintian complains about are "uglified" JavaScript files 
which we do not accept as source in Debian.


For the 3rdparty/MathJax/bin/* files, there seem to be source files in 
3rdparty/MathJax/src/*. Have you tried to build that 
3rdparty/MathJax/bin/* directory yourself and have you checked out if 
you can replace the whole whing with libjs-mathjax? 

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Bastian Germann]

Am 08.10.22 um 19:01 schrieb Sebastien CHAVAUX:


"I do not know what that means. I do not care about the lintian override

but the non-source files."


I didn't add anything, everything there is from the project sources.



Yes, everything is from the upstream tarball.
The files that lintian complains about are "uglified" JavaScript files 
which we do not accept as source in Debian.


For the 3rdparty/MathJax/bin/* files, there seem to be source files in 
3rdparty/MathJax/src/*. Have you tried to build that 
3rdparty/MathJax/bin/* directory yourself and have you checked out if 
you can replace the whole whing with libjs-mathjax?

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Sebastien CHAVAUX]

   "That is right for CVE-2022-24724 but CVE-2022-39209 != CVE-2022-24724."



I hadn't seen this one.



"I do not know what that means. I do not care about the lintian override

but the non-source files."


I didn't add anything, everything there is from the project sources.


Le 08/10/2022 à 13:28, Bastian Germann a écrit :

Am 08.10.22 um 12:33 schrieb Sebastien CHAVAUX:
  To my knowledge, CVE-2022-39209 concerns versions of cmark-gfm 
before 0.29.0.gfm.3 and 0.28.3.gfm.21:


  This vulnerability has been patched in the following cmark- | gfm 
versions 0.29.0.gfm.3 and 0.28.3.gfm.21.


https://security-tracker.debian.org/tracker/CVE-2022-24724


That is right for CVE-2022-24724 but CVE-2022-39209 != CVE-2022-24724.

I replaced the lintian message in debian/source/lintian-overrides 
precisely to avoid an overflow error, in short, it's been done since 
a yawn without ever causing any problems, for proof it's already the 
case in the ghostwriter version in backport (2.0.2-2~bpo11+1), that's 
what I was advised to do at the time.


I do not know what that means. I do not care about the lintian 
override but the non-source files.

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Bastian Germann]

Am 08.10.22 um 12:33 schrieb Sebastien CHAVAUX:
  To my knowledge, CVE-2022-39209 concerns versions of cmark-gfm before 
0.29.0.gfm.3 and 0.28.3.gfm.21:


  This vulnerability has been patched in the following cmark- | gfm 
versions 0.29.0.gfm.3 and 0.28.3.gfm.21.


https://security-tracker.debian.org/tracker/CVE-2022-24724


That is right for CVE-2022-24724 but CVE-2022-39209 != CVE-2022-24724.

I replaced the lintian message in debian/source/lintian-overrides 
precisely to avoid an overflow error, in short, it's been done since a 
yawn without ever causing any problems, for proof it's already the case 
in the ghostwriter version in backport (2.0.2-2~bpo11+1), that's what I 
was advised to do at the time.


I do not know what that means. I do not care about the lintian override 
but the non-source files.

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Sebastien CHAVAUX]

Hello,


 To my knowledge, CVE-2022-39209 concerns versions of cmark-gfm before 
0.29.0.gfm.3 and 0.28.3.gfm.21:


 This vulnerability has been patched in the following cmark- | gfm 
versions 0.29.0.gfm.3 and 0.28.3.gfm.21.


https://security-tracker.debian.org/tracker/CVE-2022-24724


However, the version given is indeed 0.29.0.gfm.3 (Fixes #741: Update to 
cmark-gfm 0.29.0.gfm.3 to patch vulnerability) 
https://github.com/KDE/ghostwriter/tree/release /3rdparty/cmark-gfm.



 I will replace the home page, as well as the github tag, weird that it 
no longer works since I repatriated the sources via `uscan` but it will 
be done. Actually no, not that weird since the upstream author released 
this 2.2.0 version first on his github and then made the switch to kde's.



I replaced the lintian message in debian/source/lintian-overrides 
precisely to avoid an overflow error, in short, it's been done since a 
yawn without ever causing any problems, for proof it's already the case 
in the ghostwriter version in backport (2.0.2-2~bpo11+1), that's what I 
was advised to do at the time.


Cordialy.

Le 07/10/2022 à 11:19, Bastian Germann a écrit :
Also, the homepage should be relaced with 
https://kde.github.io/ghostwriter and the watch file should scan 
GitHub's tags page instead of releases (does not work anymore).


I do not see the corresponding source for a lot of minified JavaScript 
files in 3rdparty/MathJax/bin.
You try to override the lintian msg in debian/source/lintian-overrides 
but do not give a reason for it. 

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Bastian Germann]

CVE-2022-39209 is not fixed. Please replace the vendored cmark-gfm library with the Debian package and help its 
maintainer to import the new upstream version.


Also, the homepage should be relaced with https://kde.github.io/ghostwriter and the watch file should scan GitHub's tags 
page instead of releases (does not work anymore).


I do not see the corresponding source for a lot of minified JavaScript files in 
3rdparty/MathJax/bin.
You try to override the lintian msg in debian/source/lintian-overrides but do 
not give a reason for it.

Bug#1021364: RFS: ghostwriter/2.2.0-1 [RC] -- Distraction-free, themeable Markdown editor

[Sebastien Chavaux]

Package: sponsorship-requests
Severity: important

Dear mentors,

I am looking for a sponsor for my package "ghostwriter":

 * Package name : ghostwriter
   Version  : 2.2.0-1
   Upstream contact : wereturtle 
 * URL  : https://wereturtle.github.io/ghostwriter/
 * License  : Expat, GPL-3.0+, CC-BY-SA-4.0, GPL-3.0, ISC
 * Vcs  : https://salsa.debian.org/seb95-guest/ghostwriter
   Section  : editors

The source builds the following binary packages:

  ghostwriter - Distraction-free, themeable Markdown editor

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/ghostwriter/

Alternatively, you can download the package with 'dget' using this command:

  dget -x
https://mentors.debian.net/debian/pool/main/g/ghostwriter/ghostwriter_2.2.0-1.dsc

Changes since the last upload:

 ghostwriter (2.2.0-1) unstable; urgency=medium
 .
   * New upstream release.
   * debian/control: set Standards-Version: to 4.6.1
   * debian/control: address correction
   * debian/watch: address correction
   * CVE-2022-24724 (Closes: #1006757)

Regards,