On Mon, 15 Feb 2016 11:43:07 AM Patrick Matthäi wrote: > I do not comply with your report.
What do you mean?
> I am aware of those issues, that is
> also why the embedded-code-copies bug is marked as "need help".
And this is why I provided some hints how you can address those problems in
my bug report. This is why I wrote to you after when I stabilised "ckeditor"
so you could use it.
> OTRS packaging is a hard job
Please do not use it as excuse for abusing DFSG. I do understand the
challenges but I do not understand neglect.
> and mostly it is not possible to replace the
> libjs thirdparty foo with the packages from Debian, mostly because of
> version missmatches.
Hold on, you are answering the least important concern. There are cases when
replacing bundled library with system one could be fragile or not suitable.
But you can't ship and use untrusted pre-minified upstream files with who-
knows-what...
> Nobody is willed (or in my case able) to fix those
> JS issues, which appear here and then with different versions in
> different places (ugly JS sh..).
At least I gave you "ckeditor" didn't I? That's one less problem to deal
with...
> If everything is simple for you and just replacements have to be done
> (which is not the case) then I would be happy to welcome you on the
> otrs-packaging board.
It is simple enough. Although some system libraries should be safe to use you
do not have to use only system libraries. But you have to get rid of non-DFSG
precompiled binaries.
I appreciate your invitation but unfortunately I have no time for otrs.
> Just a short example:
> With 5.0.1-2 I had to drop (and inform the security team) about removing
> again the use of the libjs-jquery* packages from Debian, because of #802938
I agree that using "libjs-jquery-ui" package of different version than
bundled one is fragile.
Though with "libjs-jquery" you'd probably be safe as long as you do not cross
1.9.0 boundary. However you must not use pre-minified "jquery-ui.js" as it is
shipped in orig.tar. As very minimum you have to replace it with original
uncompressed version that you have to ship in "debian/missing-sources" and
ideally report pre-built binaries as bug to upstream. If you believe in
minification then you can minify on build time. You can not trust source-
less, unreadable, unmodifiable pre-built binaries. I suppose lintian already
warned you long before I did.
I wrote the following wiki page that I use when I make upstream bug reports
about minified binaries -- I hope you might find it useful:
https://wiki.debian.org/onlyjob/no-minification
--
Regards,
Dmitry Smirnov.
---
Truth — Something somehow discreditable to someone.
-- H. L. Mencken, 1949
signature.asc
Description: This is a digitally signed message part.
