[Pkg-javascript-devel] Debian javascript URLs
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Aug 22 03:23:17 UTC 2013
sorry to be late to the discussion!
I quite like the idea that we can make it easy for web site
administrators who use debian (and fedora!) to avoid the evil CDNs for
their standard javascript.
On 08/15/2013 08:40 PM, T.C. Hollingsworth wrote:
> There's nothing wrong with it, I just think we should have something
> shorter and less likely to result in an uproar. I'm happy with making
> it work, so you can just share /usr/share/doc as /doc and everything
> can work fine. That makes a lot of sense to me.
fwiw, we recently *stopped* sharing /usr/share/doc as /doc due to
CVE-2012-0216:
http://www.debian.org/security/2012/dsa-2452
So if we do this, we need to take some pains to be sure that this sort
of approach doesn't re-introduce the problems resolved there. Do you
have any suggestions of how we could comprehensively avoid those problems?
> It doesn't make any sense to me to hardcode a filesystem path into
> applications written in dynamic languages that you'll never be able to
> just open with Firefox anyway. There's a reason there's a separate
> namespace for content served over HTTP.
Jonas' argument to just use the filesystem hierarchy for select
directories is tempting (and feels logically the most satisfying), but i
suspect the complaints (about URL length and panic about exporting /usr)
that the fedora folks are trying to address or head off will be real
enough, even if they're not logical.
It occurs to me that if a single top-level directory (e.g. /.websys) in
the URL namespace was mapped to a "safe" directory in the filesytem,
then people who wanted the feature Jonas is asking for can simply create
a /.websys symlink in their local filesystem to get the same benefits
without requiring web sites to have huge URLs in their <script> tags.
breaking that into two separate top-level directories seems more likely
to raise objections to me -- just do it once and be done with it.
/.websys/js
is still as short as
/javascript
and permits /.websys/fonts, /.websys/css, etc to reside under the same link.
About the example name used above: i made up ".websys" for a couple
reasons, neither of which are particularly important, just trying them
on for size (if you have a link to the discussion that concluded with
_sysassets, i'd be happy to read the other issues and options fedora has
already considered):
* leading dot makes the file "hidden" so most normal views of / won't
see an extra entry in case someone decides to add the symlink to the
root filesystem.
* including "web" in the name gives people who find the name in the
filesystem a hint about what it's for, just like "sys" gives people who
find the name in a URL a hint about where it comes from
fwiw, i agree that waiting for a new revision of the FHS is implausible.
If debian and fedora can agree on something while legitimately thinking
through and trying to address any potential objections, we shouldn't let
the FHS's stagnancy stop us.
Thanks for raising this issue, i really do think it would be good to see
fedora and debian collaborate on this.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20130821/a957b608/attachment.sig>
More information about the Pkg-javascript-devel
mailing list