[Pkg-javascript-devel] Bug#740893: Should we install bundled third-party ‘hotkeys’ library

Ben Finney bignose at debian.org
Thu Aug 3 07:25:27 UTC 2017 

(duplicating because I forgot to include the bug report address)

Ryan Attard <frontrunner4000 at gmail.com> writes:

> I've been struggling with this bug, but I'm a little confused by this
> bug report and the response from the maintainers.

Thank you for asking to clarify. I agree that this bug report discussion
can be difficult to follow.

> The source package has these JS files under in coverage/htmlfiles
> (with what I'm assuming is the compatible/tested version), why aren't
> they shipped in the debian package?

Because they aren't used.

Why aren't they used? Because it is a violation of Debian policy to
install third-party bundled libraries; instead, the libraries should
each have their own first-class Debian made from the source for that
library.

You might want to read <URL:https://bugs.debian.org/848188> describing
why the library dependency is removed from the ‘python-coverage’
package.

> It makes no sense to me as a user to have a critical portion of
> functionality broken by default

I agree, and this is discussed in the bug tracker for Coverage.py
<URL:https://bitbucket.org/ned/coveragepy/issues/474/>.

> (because it doesn't hard-dep on libjs-jquery-hotkeys/related JS libs,
> and you can't get line-by-line reports without it), and also to depend
> on a library that is also incompatible and known incompatible.

I don't quite understand what you're saying there. There are
incompatible libraries both claiming the “hotkeys” name, but that's
already known here.

> Can't you just drop the libjs* recommends and install the stuff in the
> source package onto the target system?

Definitely not; bundling a third-party library, especially when that is
just a slightly modified version of an existing packaged library, is a
violation of policy and makes security updates needlessly difficult.

-- 
 \         “Two paradoxes are better than one; they may even suggest a |
  `\                                         solution.” —Edward Teller |
_o__)                                                                  |
Ben Finney
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20170803/9562d333/attachment.sig>

More information about the Pkg-javascript-devel mailing list