On Mon, 11 Jul 2016 12:06:57 +0530 Pirate Praveen <prav...@onenetbeyond.org> wrote:
> Hi, > > There is a bug with severity serious filed against libjs-handlebars > [1] (it is also a bug in ruby-handlebars-assets). > > The corresponding source code is present in libjs-handlebars (only in > experimental right now, but it could be reuploaded to unstable once I > have clarity). > > It needs grunt to be packaged [2] to be able to browserify it in > debian. Not necessarily. 0: minification using grunt produces code which is not simple to patch, especially when multiple patches need to be applied to a single file, but grunt is a means to an end, not necessarily a requirement itself. 1: The objective of minification can be resolved using minification tools other than grunt in many cases - e.g. uglify. 2: The fact that the minified code in Debian differs from the minified code from upstream is irrelevant as long as upstream and Debian have the same unminified source code and upstream agree to support the unminified source code. Any minified files in the release tarball need to be removed during the packaging. 3: There is scope for bugs with any change in the build process, it just needs testing. 4: Other packages use a process which ties this in with replacing embedded copies of upstream JS with symlinks to packaged files, so the change of minification tool only affects JS which is not already present in Debian - those will already be using a minification tool other than grunt. Sharing this code helps provide assurance that the change in the build tool has not affected performance. 5: You may be able to provide evidence to upstream that a different minification tool could be used by upstream. > I agree it is nice to be able to browsetrify it in debian, but I don't > think it is serious enough to be removed from debian or moved to > non-free. It's not just "nice", it is necessary. It's not just "browsetrify", it's a step in the build process. We use a script to handle the minification and removal of symlinks: https://sources.debian.net/src/lava-server/2016.6-2/share/javascript.py/ and a file (in this case maintained by upstream) to specify handling: https://sources.debian.net/src/lava-server/2016.6-2/share/javascript.yaml/ This is then just called from debian/rules: https://sources.debian.net/src/lava-server/2016.6-2/debian/rules/#L55 -- Neil Williams ============= http://www.linux.codehelp.co.uk/
pgpH67wVDV9z4.pgp
Description: OpenPGP digital signature
