[Pkg-javascript-devel] Bug#677619: Bug#677619: libjs-jquery-ui: Please provide pristine copy of upstream minified files too

Jonas Smedegaard dr at jones.dk
Fri Jun 15 20:08:37 UTC 2012 

On 12-06-15 at 09:28pm, Raphael Hertzog wrote:
> On Fri, 15 Jun 2012, Jonas Smedegaard wrote:
> > I agree that all[1] javascript files offered for browser use (i.e. 
> > below /usr/share/javascript/) should include a minified variant.  I 
> > disagree, however, that upstream minification should be used, as it 
> > raise the risk of flaws or mallice passed on unnoticed from upstream 
> > to Debian: changes to minified files cannot be checked with simple 
> > "git diff" as is the case for most[2] upstream preferred source 
> > formats.
> 
> Right. At least it would be nice to use the same minifier tool than 
> upstream in the hope to generate the same minified file then.

I disagree.  That would be comparable to using same C compiler with same 
compile options (with less success for C than for JavaScript, probably).

As I understand it, the need for producing identical minification output 
is only to ease identification of those files, which I believe is better 
and more reliably done by hashing, with no ill sideeffects (e.g. some 
minifiers sometimes produce broken output).


> > Perhaps dh-linktree could be extended to check against hashes too, 
> > and a packaging helper tool could be developed to generate lists of 
> > (alternative) hashes for files shipped with binary packages.
> 
> Can you elaborate?
> 
> How would you generate those hashes?

I would ship with the binary package a hint file containing lines of a) 
path to JavaScript file as shipped in Debian and b) md5sum[1] for 
equivalent upstream file. One line per file hinted about.

Right now we are talking about minifications being different, but 
patching, unix line-ends, utf8 re-encoding might also lead to Debian 
files not matching exactly files shipped by others.  Might also be that 
upstream ships a different file in the tarball than is popular to 
include as convenience code copy in other projects.  It might therefore 
make sense to include such hints not only for minified files but for 
_all_ JavaSript files included with Debian binary package but not 
matching exactly its upstream counterpart.


> Would you try to minify the original file with all the possible 
> minifiers and store the list of hashes?

I would include a hash for the file you described a need for identifying 
when building other packages: the upstream shipped minified file.

When I wrote "hashes" as plural, I just imagined that for the cases of 
multiple minifications of same source being commonly included as 
convenience code copies in projects, it would be handly to be able to 
file a bugreport against the corresponding Debian packaged JavsScript 
file to extend the hinting with an additional hash.  I would expect that 
to be uncommon, though, so if cumbersome to implement or express neatly, 
it may not be a big loss.

Does it make sense now?

NB! I do not offer to implement this, just share my thoughts here.

Regards,

 - Jonas

[1] or sha1sum or whatever - I don't know which of these is most 
suitable for this purpose.

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20120615/84bd6e40/attachment.pgp>

More information about the Pkg-javascript-devel mailing list