[pkg-crosswire-devel] Bug#1017083: bibledit: Some sources are not included in your package

Bastien Roucariès rouca at debian.org
Sat Aug 13 12:19:43 BST 2022 

Source: bibledit
Version: 5.0.983-1
Severity: serious
Tags: upstream ftbfs security
Justification: DFSG #2
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>, debian-qa at lists.debian.org

Dear Maintainer,

Your package includes some files that seem to lack sources
in preferred forms of modification:

 # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [jquery/jquery-3.5.1.min.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [jquery/jquery.touchSwipe.min.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [nicedit/nicedit.min.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [notifit/notifit.min.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [quill/1.1.5/quill.core.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [quill/1.1.5/quill.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [quill/1.1.5/quill.min.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [quill/1.3.6/quill.core.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [quill/1.3.6/quill.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [quill/1.3.6/quill.min.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [quill/quill.core.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [quill/quill.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [quill/quill.min.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [rangy13/rangy-classapplier.min.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [rangy13/rangy-core.min.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [rangy13/rangy-highlighter.min.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [rangy13/rangy-selectionsaverestore.min.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [rangy13/rangy-serializer.min.js]
        # Several minified Javascript objects are included. Upstream did this
intentionally. There is several minifiers, like YUI, Uglify.JS, and others.
Each of them employs their own algorithms to makes the source smaller. Upstream
included the minified versions provided by the developers. This way they are
more sure to have well-tested and reliable minified objects.
    [rangy13/rangy-textrange.min.js]
{list of files}

According to Debian Free Software Guidelines [1] (DFSG) #2:
 "The program must include source code, and must allow distribution
  in source code as well as compiled form."

In some cases this could also constitute a license violation for some
copyleft licenses such as the GNU GPL. (While sometimes the licence
allows not to ship the source, the DFSG always mandates source code.)

Moreover minified javascript not recompiled from source is a security bug
(outdated library and trust on the upstream minifier)

In order to solve this problem, you could:
1. add the source files to "debian/missing-sources" directory.
2. repack the origin tarball and add the missing source files to it.

Both ways satisfy the requirement to ship all source code. The second option
might be preferable due to the following reasons [2]:
 - Upstream can do it too and you could even supply a patch to them, thus
   fulfilling our social contract [3], see particularly §2.
 - If source and non-source are in different locations, ftpmasters may
   miss the source and (needlessly) reject the package.
 - The source isn't duplicated in every .diff.gz/.debian.tar.* (though
   this only really matters for larger sources).

You could also ask debian-qa at lists.debian.org or #debian-qa for more
guidance.

[1] https://www.debian.org/social_contract.en.html#guidelines
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736873#8
[3] https://www.debian.org/social_contract



-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.18.0-2-rt-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

More information about the pkg-crosswire-devel mailing list