[Pkg-javascript-devel] Bug#677619: Bug#677619: libjs-jquery-ui: Please provide pristine copy of upstream minified files too
On Fri, 2012-06-15 at 14:20 +0200, Raphaël Hertzog wrote: > Package: libjs-jquery-ui > Version: 1.8.ooops.21+dfsg-1 > Severity: wishlist > > It would be nice if you could also provide the various *.min.js files that > upstream does provide. > > I understand that you provide jquery.ui.min.js which includes everything > but there are plenty of applications which embed a subset of the various > *.min.js files (in my case Wordpress) and it would be nice if we could > replace them with a symlink. > > Ideally you would even provide pristine copy of those files so that we can > more easily identify when they are really the same files or not (this > means that you should not minify them during build unless you have changed > the original file as well). This is particularly interesting so that > people can use the "deduplicate" command of dh-linktree instead > of blindly replacing the files by symlinks. > > Thank you for considering it! I will minify files from source (using uglify) instead of shipping upstream version, because it could be considered as a policy violation. Cheers, -- Marcelo Jorge Vieira xmpp:me...@jabber-br.org http://metaldot.alucinados.com signature.asc Description: This is a digitally signed message part ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#677619: Bug#677619: libjs-jquery-ui: Please provide pristine copy of upstream minified files too
On 12-06-15 at 10:23pm, Raphael Hertzog wrote: > On Fri, 15 Jun 2012, Jonas Smedegaard wrote: > > On 12-06-15 at 09:28pm, Raphael Hertzog wrote: > > > Right. At least it would be nice to use the same minifier tool > > > than upstream in the hope to generate the same minified file then. > > > > I disagree. That would be comparable to using same C compiler with > > same compile options (with less success for C than for JavaScript, > > probably). > > Well, it's not exactly on the same scope, no. Minifying changes the > "appearance" of the file, not its intrinsic nature. > > > As I understand it, the need for producing identical minification > > output is only to ease identification of those files, which I > > believe is better and more reliably done by hashing, with no ill > > sideeffects (e.g. some minifiers sometimes produce broken output). > > I agree that hashing would be more reliable, but it's also much more > work for everybody and the infrastructure doesn't exist yet... so I > don't see why using the same minifier could not be a sane > recommendation in the mean time. * some minifiers produce broken results sometimes for some code. (as already mentioned earlier). The use of different minifier may reveal bugs in upstream code or in Debian packaged minifier and/or JavaScript code. * Different versions of minifiers produce different minifications. Maintaining multiple versions of minifiers around for the purpose of being able to reproduce upstream minification seems quite wrong to me. * Some minifiers exist as web services, not (DFSG-free) local tools. Some of above are not arguments against _trying_ to mimic upstream, only in the likelihood of success. But as a principle I find it to be a wrong aim for Debian to mimic upstream regarding minification - whether or not it is "appearance" only: The purpose of minification is efficiency, and we should pick the most efficient minifier available to us, no matter if it happens to produce exact same results as upstream minification. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#677619: Bug#677619: libjs-jquery-ui: Please provide pristine copy of upstream minified files too
On Fri, 15 Jun 2012, Jonas Smedegaard wrote: > On 12-06-15 at 09:28pm, Raphael Hertzog wrote: > > Right. At least it would be nice to use the same minifier tool than > > upstream in the hope to generate the same minified file then. > > I disagree. That would be comparable to using same C compiler with same > compile options (with less success for C than for JavaScript, probably). Well, it's not exactly on the same scope, no. Minifying changes the "appearance" of the file, not its intrinsic nature. > As I understand it, the need for producing identical minification output > is only to ease identification of those files, which I believe is better > and more reliably done by hashing, with no ill sideeffects (e.g. some > minifiers sometimes produce broken output). I agree that hashing would be more reliable, but it's also much more work for everybody and the infrastructure doesn't exist yet... so I don't see why using the same minifier could not be a sane recommendation in the mean time. > Does it make sense now? Yes, thank you for the explanation. Cheers, -- Raphaël Hertzog ◈ Debian Developer Get the Debian Administrator's Handbook: → http://debian-handbook.info/get/ ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#677619: Bug#677619: libjs-jquery-ui: Please provide pristine copy of upstream minified files too
On 12-06-15 at 09:28pm, Raphael Hertzog wrote: > On Fri, 15 Jun 2012, Jonas Smedegaard wrote: > > I agree that all[1] javascript files offered for browser use (i.e. > > below /usr/share/javascript/) should include a minified variant. I > > disagree, however, that upstream minification should be used, as it > > raise the risk of flaws or mallice passed on unnoticed from upstream > > to Debian: changes to minified files cannot be checked with simple > > "git diff" as is the case for most[2] upstream preferred source > > formats. > > Right. At least it would be nice to use the same minifier tool than > upstream in the hope to generate the same minified file then. I disagree. That would be comparable to using same C compiler with same compile options (with less success for C than for JavaScript, probably). As I understand it, the need for producing identical minification output is only to ease identification of those files, which I believe is better and more reliably done by hashing, with no ill sideeffects (e.g. some minifiers sometimes produce broken output). > > Perhaps dh-linktree could be extended to check against hashes too, > > and a packaging helper tool could be developed to generate lists of > > (alternative) hashes for files shipped with binary packages. > > Can you elaborate? > > How would you generate those hashes? I would ship with the binary package a hint file containing lines of a) path to JavaScript file as shipped in Debian and b) md5sum[1] for equivalent upstream file. One line per file hinted about. Right now we are talking about minifications being different, but patching, unix line-ends, utf8 re-encoding might also lead to Debian files not matching exactly files shipped by others. Might also be that upstream ships a different file in the tarball than is popular to include as convenience code copy in other projects. It might therefore make sense to include such hints not only for minified files but for _all_ JavaSript files included with Debian binary package but not matching exactly its upstream counterpart. > Would you try to minify the original file with all the possible > minifiers and store the list of hashes? I would include a hash for the file you described a need for identifying when building other packages: the upstream shipped minified file. When I wrote "hashes" as plural, I just imagined that for the cases of multiple minifications of same source being commonly included as convenience code copies in projects, it would be handly to be able to file a bugreport against the corresponding Debian packaged JavsScript file to extend the hinting with an additional hash. I would expect that to be uncommon, though, so if cumbersome to implement or express neatly, it may not be a big loss. Does it make sense now? NB! I do not offer to implement this, just share my thoughts here. Regards, - Jonas [1] or sha1sum or whatever - I don't know which of these is most suitable for this purpose. -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#677619: Bug#677619: libjs-jquery-ui: Please provide pristine copy of upstream minified files too
On Fri, 15 Jun 2012, Jonas Smedegaard wrote: > I agree that all[1] javascript files offered for browser use (i.e. below > /usr/share/javascript/) should include a minified variant. I disagree, > however, that upstream minification should be used, as it raise the risk > of flaws or mallice passed on unnoticed from upstream to Debian: changes > to minified files cannot be checked with simple "git diff" as is the > case for most[2] upstream preferred source formats. Right. At least it would be nice to use the same minifier tool than upstream in the hope to generate the same minified file then. > Perhaps dh-linktree could be extended to check against hashes too, and a > packaging helper tool could be developed to generate lists of > (alternative) hashes for files shipped with binary packages. Can you elaborate? How would you generate those hashes? Would you try to minify the original file with all the possible minifiers and store the list of hashes? Cheers, -- Raphaël Hertzog ◈ Debian Developer Get the Debian Administrator's Handbook: → http://debian-handbook.info/get/ ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#677619: Bug#677619: libjs-jquery-ui: Please provide pristine copy of upstream minified files too
On 12-06-15 at 02:20pm, Raphaël Hertzog wrote: > It would be nice if you could also provide the various *.min.js files > that upstream does provide. > > I understand that you provide jquery.ui.min.js which includes > everything but there are plenty of applications which embed a subset > of the various *.min.js files (in my case Wordpress) and it would be > nice if we could replace them with a symlink. > > Ideally you would even provide pristine copy of those files so that we > can more easily identify when they are really the same files or not > (this means that you should not minify them during build unless you > have changed the original file as well). This is particularly > interesting so that people can use the "deduplicate" command of > dh-linktree instead of blindly replacing the files by symlinks. I agree that all[1] javascript files offered for browser use (i.e. below /usr/share/javascript/) should include a minified variant. I disagree, however, that upstream minification should be used, as it raise the risk of flaws or mallice passed on unnoticed from upstream to Debian: changes to minified files cannot be checked with simple "git diff" as is the case for most[2] upstream preferred source formats. Perhaps dh-linktree could be extended to check against hashes too, and a packaging helper tool could be developed to generate lists of (alternative) hashes for files shipped with binary packages. Regards, - Jonas [1] when it makes sense - i.e. not e.g. when file is too small to gain any benefit from minification. [2] at least one project - etoys - use a binary format as preferred source format, and for that very reason is placed in non-free even if DFSG-free, due to the Debian Security Team judging it too difficult to reliably handle eventually security patches for it. -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
