Hello Yokota, yokota <yokota.h...@gmail.com> writes:
> Hello Nicholas, > >> I'm reporting this bug against the first version of Calibre for Debian that >> hypothetically could have used the new "node-mathjax-full" package. >> It seems worthwhile to start using "node-mathjax-full" for trixie, because >> then our copy of Calibre would benefit from security fixes to it. > > Debian MathJax 3 was once enabled before, but disabled again because > Debian MathJax 3 pulls many big (> 100M bytes) packages. > See also Debian bug 1068765. > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068765 Thank you for referring me to that bug, because I hadn't realised that this complication existed. > Do you think it's worth to pay disk space? > If you say "yes", I will revert Debian bug 1068765 fix. I suspect that this is a false dilemma: ((bundled) OR (hard *Depends* on node-mathjax-full)) 1. One alternative that Gregor Herrmann asked about in #1068765 is if Calibre can have a run-time *Recommends* on node-mathjax-full. Calibre may not yet be able to gracefully handle missing dependencies, so this would need to be tested (ie: output a warning and don't crash!). Ideal scenario for this approach would be that it profiles an "apt://node-mathjax-full" type URL and "sudo apt install node-mathjax-full" so that user can: a) Click to link so that GNOME Software or KDE Discover, or maybe even Synaptic will install the required package. b) Copy & paste the terminal command, enter sudo password, install, restart Calibre, and have working MathJax. 2. Another alternative is unbundling the upstream copy, and making node-mathjax-full a *Build-Depend*. If done correctly, Calibre's build system won't be able to tell the difference. Yes, this means that Calibre for Debian continues to install its own copy of MathJax3, but the solution means we can binNMU src:calibre to rebuild it against updated Debian MathJax3--if necessary (this has lower risk of breakage than backporting upstream changes, and the release team and security team prefer it to using upstream-bundled copies and fixes). 3. Yet another is file a bug against the source package for node-mathjax-full and explain how this packages doesn't meet the needs of Debian packages that previously depended on bin:mathjax. We only need 1.4M of MathJax3, and it's certain that this is the case for other Debian packages. Please consider the advantages and disadvantages of each of these options. If you like the approach of #3 then you'll need to file a bug (using reportbug, not just sending an email) asap, because the freeze has already begun. It may be that #3 is no longer possible for trixie. I'll try to answer any questions you have. Kind regards, Nicholas P.S. Please feel free to quote this email freely and if you'd like to CC me for any discussions that's OK too. P.P.S. Sorry for the length of this email; my hope is that the long-form of this one will be more useful than a burden, but please let me know if this isn't the case!
signature.asc
Description: PGP signature
