emilien+debian at klein.st
Sat Mar 29 07:27:16 UTC 2014
2014-03-28 0:28 GMT+01:00 Ben Finney <ben+debian at benfinney.id.au>:
> Emilien Klein <emilien+debian at klein.st> writes:
>> Let's take the example of jquery-lazyload .
>> Both these files are provided in the upstream tarball:
>> - jquery.lazyload.js
>> - jquery.lazyload.min.js
>> With the second one being the minified form of the first one.
> How will you guarantee that ‘jquery.lazyload.js’ is the corresponding
> source for the file ‘jquery.lazyload.min.js’? How will you guarantee
> that holds true every time a new version is released upstream?
As we can't make sure we're minimizing the file exactly the same way
upstream does, would comparing doubly-minified files work (I need to
try, but no suitable computer had hand just now):
Provided by upstream:
- File A: unminified .js
- File B: Upstream-provided .min.js
Debian minifies file A:
File C: Debian-minified file A
Debian minifies files B and C with the same options (e.g. drop
copyright notice) to get at the same minified content:
File D: Debian-minified file C
File E: Debian-minified file B
If File D and File E are equal, then we can assure file B was minified
from file A by upstream.
I'll try this out for lazyload and report back.
Should the check fail, the package does not build (and then we
repackage). Recheck by next package to see if repackageing is still
I feel there is more value in shipping the upstream tarball (if we can
assure the minified file comes from the supplied source), as
repackaging is an extra step that could theoretically go wrong.