[Pkg-gmagick-im-team] Bug#971216: doxygen build error
Helmut Grohne
helmut at subdivi.de
Tue Jan 5 18:39:16 GMT 2021
On Sat, Dec 19, 2020 at 11:29:36PM +0100, Sven Mueller wrote:
> Could you imagine (no pun intended) to include the change in the
> imagemagick version of the dh_doxygen script into the version in the
> doxygen package, possibly behind an option? It replaces known (currently
> only jquery) .js files by a symlink to the relevant known location of the
> (here:) jquery file and creates a substvar with the required
> dependency/dependencies.
Nack. Please read /usr/share/doc/doxygen/README.jquery and do away with
the symlink. It is broken.
> This would eventually eliminate the need to keep a script in the
> imagemagick sources in sync with the doxygen package.
There is no need in the first place. /usr/bin/dh_doxygen can be used as
is.
> The replacement is desirable from a security standpoint, as it reduces the
> places that need patching if another jquery vulnerability surfaces.
It is not. While jquery does have security updates from time to time, it
seems very unlikely that any of them could be exploited while browsing
documentation. The way Doxygen uses jquery is what lowers the risk.
Replacing jquery.js (which is not jquery despite being thus named) is of
course more secure quite like pulling the plug on your computer is more
secure. It should be noted however that doing so also reduces the
usefulness.
Helmut
More information about the Pkg-gmagick-im-team
mailing list