Bug#920749: [Pkg-javascript-devel] Bug#920749: popper.js: contains generated code uncertain if fully included as source
Le 29/01/2019 à 15:23, Jonas Smedegaard a écrit : > Quoting Xavier (2019-01-29 07:41:40) >> Le 28/01/2019 à 18:45, Jonas Smedegaard a écrit : >>> Source: popper.js >>> Version: 1.14.6+ds-1 >>> Severity: serious >>> Justification: Policy 2.1 >>> >>> Source package contains several files (seemingly all of them) below >>> which does not exist in upstream version tracking and therefore >>> are not in the form preferred upstream, and more importantly may include >>> other code than the actual source below . >>> >>> - Jonas >> >> Upstream author does provide dist/* files in release commits (example: >> https://github.com/FezVrasta/popper.js/commit/b1144cdbcb5b5ab20d281a6083ecdce475a54af1) >> >> and remove them from master at next commit. > > Yes, upstream ships pre-generated code. > > Sorry that I was sloppy and my initial email could be read as "this bug > is that upstream did not at all commit those files to git" - what I > meant to say is "this bug is that upstream seems to not intend for those > files to be their preferred form for their own source editing". > > >> This generated files are readable javascript files, unminified and >> well commented (a sort of webpack of packages/* files). > > Yes, pre-generated code is readable (a.k.a. beautified not minified). > > Readability of pre-generated code is irrelevant for this bug. What is > relevant is that source is provided for everything we distribute. > > Simplest way to ensure that is to not include pre-generated code with > source. > > There are other ways too, but looking for loopholes is _more_ complex > and _easier to do wrong. > > >> To reproduce build, many dependencies are needed. So the choices are: >> - doing nothing, twitter-bootstrap4 will be removed from buster with >>all its reverse dependencies >> - package many new modules (I've no time to do this) >> - decrease this severity issue > > Yes, reproducing upstream build is likely too complex. > > There are other options, however: > > - stitch things together in a creative new way > - roll back to an earlier release with less complex build routines > > >> NB: upstream build can be reproduce only using yarnpkg, failed with npm: >> $ yarnpkg install >> $ yarnpkg build > > I fail to see how it is relevant for this bug: We use deb _instead_ of > either of those packaging systems! > > (a _helper_ tool like npm2deb might have been handy and might fail here, > but that is unrelated to this bug) Hello, kapouer found a way to fix this (built with node-buble). Closed now. Could you review twitter-bootstrap4 now ? Cheers, Xavier
Bug#920749: [Pkg-javascript-devel] Bug#920749: popper.js: contains generated code uncertain if fully included as source
Quoting Xavier (2019-01-29 07:41:40) > Le 28/01/2019 à 18:45, Jonas Smedegaard a écrit : > > Source: popper.js > > Version: 1.14.6+ds-1 > > Severity: serious > > Justification: Policy 2.1 > > > > Source package contains several files (seemingly all of them) below > > which does not exist in upstream version tracking and therefore > > are not in the form preferred upstream, and more importantly may include > > other code than the actual source below . > > > > - Jonas > > Upstream author does provide dist/* files in release commits (example: > https://github.com/FezVrasta/popper.js/commit/b1144cdbcb5b5ab20d281a6083ecdce475a54af1) > > and remove them from master at next commit. Yes, upstream ships pre-generated code. Sorry that I was sloppy and my initial email could be read as "this bug is that upstream did not at all commit those files to git" - what I meant to say is "this bug is that upstream seems to not intend for those files to be their preferred form for their own source editing". > This generated files are readable javascript files, unminified and > well commented (a sort of webpack of packages/* files). Yes, pre-generated code is readable (a.k.a. beautified not minified). Readability of pre-generated code is irrelevant for this bug. What is relevant is that source is provided for everything we distribute. Simplest way to ensure that is to not include pre-generated code with source. There are other ways too, but looking for loopholes is _more_ complex and _easier to do wrong. > To reproduce build, many dependencies are needed. So the choices are: > - doing nothing, twitter-bootstrap4 will be removed from buster with >all its reverse dependencies > - package many new modules (I've no time to do this) > - decrease this severity issue Yes, reproducing upstream build is likely too complex. There are other options, however: - stitch things together in a creative new way - roll back to an earlier release with less complex build routines > NB: upstream build can be reproduce only using yarnpkg, failed with npm: > $ yarnpkg install > $ yarnpkg build I fail to see how it is relevant for this bug: We use deb _instead_ of either of those packaging systems! (a _helper_ tool like npm2deb might have been handy and might fail here, but that is unrelated to this bug) - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#920749: [Pkg-javascript-devel] Bug#920749: popper.js: contains generated code uncertain if fully included as source
Le 29/01/2019 à 07:41, Xavier a écrit : > Le 28/01/2019 à 18:45, Jonas Smedegaard a écrit : >> Source: popper.js >> Version: 1.14.6+ds-1 >> Severity: serious >> Justification: Policy 2.1 >> >> Source package contains several files (seemingly all of them) below >> which does not exist in upstream version tracking and therefore >> are not in the form preferred upstream, and more importantly may include >> other code than the actual source below . >> >> - Jonas > > Upstream author does provide dist/* files in release commits (example: > https://github.com/FezVrasta/popper.js/commit/b1144cdbcb5b5ab20d281a6083ecdce475a54af1) > and remove them from master at next commit. This generated files are > readable javascript files, unminified and well commented (a sort of > webpack of packages/* files). > > To reproduce build, many dependencies are needed. So the choices are: > - doing nothing, twitter-bootstrap4 will be removed from buster with >all its reverse dependencies > - package many new modules (I've no time to do this) > - decrease this severity issue > > NB: upstream build can be reproduce only using yarnpkg, failed with npm: > $ yarnpkg install > $ yarnpkg build > > Cheers, > Xavier kapouer found a way to fix this, many thanks ! WIP
Bug#920749: [Pkg-javascript-devel] Bug#920749: popper.js: contains generated code uncertain if fully included as source
Le 28/01/2019 à 18:45, Jonas Smedegaard a écrit : > Source: popper.js > Version: 1.14.6+ds-1 > Severity: serious > Justification: Policy 2.1 > > Source package contains several files (seemingly all of them) below > which does not exist in upstream version tracking and therefore > are not in the form preferred upstream, and more importantly may include > other code than the actual source below . > > - Jonas Upstream author does provide dist/* files in release commits (example: https://github.com/FezVrasta/popper.js/commit/b1144cdbcb5b5ab20d281a6083ecdce475a54af1) and remove them from master at next commit. This generated files are readable javascript files, unminified and well commented (a sort of webpack of packages/* files). To reproduce build, many dependencies are needed. So the choices are: - doing nothing, twitter-bootstrap4 will be removed from buster with all its reverse dependencies - package many new modules (I've no time to do this) - decrease this severity issue NB: upstream build can be reproduce only using yarnpkg, failed with npm: $ yarnpkg install $ yarnpkg build Cheers, Xavier