[Pkg-giraffe-discuss] current state on zarafa-webapp

Carsten Schoenert c.schoenert at t-online.de
Sat Jun 13 19:29:28 UTC 2015 

Hello Guido,

On 06/13/15 13:33, Guido Günther wrote:
> I think this one is not that wrong:
> 
>>> I: zarafa-webapp-clockwidget:
>>> extended-description-is-probably-too-short
> 
> ----
> This package is a plugin for zarafa-webapp, a web interface for the
> Zarafa groupware suite.
> .
> The plugin extends the application's dashboard with a display of a
> clock.
> -----

yeah, great. Picked this and change the whole file again, now there are
no more Lintian tags about that.

> I just had a look at these:
> 
> These shouldn't be overriden.
> 
> zarafa-webapp-files: script-not-executable usr/share/zarafa-webapp/plugins/files/php/Files/sabredav/vendor/sabre/vobject/bin/bench.php
> zarafa-webapp-files: script-not-executable usr/share/zarafa-webapp/plugins/files/php/Files/sabredav/vendor/sabre/vobject/bin/generateicalendardata.php
> zarafa-webapp-files: script-not-executable usr/share/zarafa-webapp/plugins/files/php/Files/sabredav/vendor/sabre/vobject/bin/vobjectvalidate.php
> 
> The scripts all have a '#!/usr/bin/env php' as first line. So either
> their meant to be executed (and therefore need executable bits set) or,
> more likely, this line just needs to be removed. This will make lintian
> happy and is IMHO more correct.

I know, and that's why I append some lines about this issue too on my
previous mail. I don't know if these file needs execution rights,
probably not I think, that's a question we have ask to Zarafa. I can't
any place there these files needed (via grep) so maybe they can removed
completely. Otherwise a comment within the files would be helpful.
But yes, you are right, let's remove the override to get this issue not
loosing the focus.

> I think lintian is correct here too:
> 
> zarafa-webapp-files: privacy-breach-generic usr/share/zarafa-webapp/plugins/files/js/external/uxmediapak.js (http://go2.microsoft.com/fwlink/?linkid=108181)
> 
> The script is fetching external images therefore giving away sensitive
> data. We really should not do this. Simplest thing would be not fetch
> the image from an external site by either going for text only or by
> embedding the image in the source code.

It's even more worse, I took a look into the minimized JS file and there
are many other URLs too that are contacted. So I decided to remove this
file from the upstream source and redo the packaging work within the
repository. Depended on this there was now a empty folder in the
package, we have to see later if the package zarafa-webapp-files is
still useful or if the have to remove that from the control file.

> We can't do much about those:
> 
> zarafa-webapp: font-in-non-font-package usr/share/zarafa-webapp/client/tinymce/skins/lightgray/fonts/tinymce-small.ttf
> zarafa-webapp: font-in-non-font-package usr/share/zarafa-webapp/client/tinymce/skins/lightgray/fonts/tinymce.ttf
> zarafa-webapp: embedded-javascript-library usr/share/zarafa-webapp/client/tinymce/plugins/compat3x/tiny_mce_popup.js please use tinymce
> 
> but I wouldn't override them. This just hides the problem that we're
> unable to use the packaged tinymce. Is there a bug that asks for a
> tinymce update? If so I'd reference this in that file so we can track
> the progress. It seems at least wordpress shares our fate on that one.

Also here I agree with your considerations in the end and removed the
overrides again. Yes, it will be better to see the Lintian warning about
that to not loose the focus too.
I extend the README.source file about that issue a little bit, it also
get the URL for the wishlist bug in the tinymce package that include the
reminder for a new available upstream version for tinymce.

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742832

The Groupware wiki site also held this information. I don't know Frank
Haberman, the maintainer for this package nor any of the Javascript
maintainers. So don't count on a update for tinymce, the wishlist bug is
now over one year old without any reaction from Frank Haberman. I added
also a blocking tag onto the tinymce wishlist bug. But we are not alone. ;)

So to finalize, we have some warnings more now.

> $ lintian -IE ../zarafa-webapp_2.0.2-2_amd64.changes
> E: zarafa-webapp source: license-problem-bad-php-license debian/copyright
> W: zarafa-webapp: embedded-javascript-library usr/share/zarafa-webapp/client/tinymce/plugins/compat3x/tiny_mce_popup.js please use tinymce
> I: zarafa-webapp: font-in-non-font-package usr/share/zarafa-webapp/client/tinymce/skins/lightgray/fonts/tinymce-small.ttf
> I: zarafa-webapp: font-in-non-font-package usr/share/zarafa-webapp/client/tinymce/skins/lightgray/fonts/tinymce.ttf
> W: zarafa-webapp-files: script-not-executable usr/share/zarafa-webapp/plugins/files/php/Files/sabredav/vendor/sabre/vobject/bin/bench.php
> W: zarafa-webapp-files: script-not-executable usr/share/zarafa-webapp/plugins/files/php/Files/sabredav/vendor/sabre/vobject/bin/generateicalendardata.php
> W: zarafa-webapp-files: script-not-executable usr/share/zarafa-webapp/plugins/files/php/Files/sabredav/vendor/sabre/vobject/bin/vobjectvalidate.php

-- 
Regards
Carsten Schoenert

More information about the Pkg-giraffe-discuss mailing list