[Pkg-javascript-devel] JavaScript policy?

François-Régis frv at miradou.com
Wed Mar 26 22:03:11 UTC 2014 

Hi Emilien,

Le 26/03/2014 22:10, Emilien Klein a écrit :
> 2014-03-25 23:34 GMT+01:00 François-Régis <frv at miradou.com>:
>> I should have said "A pkg-javascript policy could be we don't embed
>> minified files into orig tarball"
> 
> This is correct when Debian packager == upstream maintainer. For most
> packages, that is not the case.

This is of course not the subject.

> The current policy (we need to have that documented on [0]) is that if
> the upstream tarball contains minified files, the upstream tarball
> must be repackaged to exclude these files. The Debian package then
> uses the repackaged tarball.

David points us on [1] which is crystal clear : we should'nt modify the
original tarball, providing minified files as original js sources. And
upstream generaly provides minified version as we do. So I ask the same
question as David, where is this policy ?  And why MArcello asks to
remove minified files from orig [2]

[1]
https://www.debian.org/doc/manuals/developers-reference/best-pkging-practices.html#repackagedorigtargz
[2]
http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/2014-March/007176.html

> The current policy is made using the assumption that minified == compiled.
> For my information: Has this ever clearly and definitively been established?

This assumption ( == ) is obviously false from packaging POV. Compiles
means building a binary file dedicated to an arch, minifies means
building a file (not human readable) for all arch.

> I agree that we shouldn't be redistributing *compiled* software that
> we can't guarantee hasn't been fiddled with. That is indeed very
> difficult to do with e.g. a compiled C program.
> Minified files is a practice in the JavaScript developer community to
> provider smaller files (mainly for performance reasons), but they
> remain JavaScript scripts, only harder for a human to read. If you
> look at the Wikipedia article (obvious mention about possible
> unreliability applies) about minification [1], it doesn't compare it
> to compilation (only mention of "compil*" is about the Closure
> compiler, which is not what we're talking about).

I may be wrong but what we distribute is binary package, which should'nt
include minified version of source tarball but only ones we have built.

> To help make this situation clearer, can somebody point us to (1) the
> exact part of the DFSG or policy that we're using to base our "exclude
> minified files from orig tarball" policy and (2) where discussions
> have been led with folks outside of our team (e.g. -devel) about the
> undistributable character of minified files in upstream tarballs?

Yes this is the good question...

Cheers,

-- 
François-Régis

More information about the Pkg-javascript-devel mailing list