[Pkg-javascript-devel] Bug#920749: Bug#920749: popper.js: contains generated code uncertain if fully included as source

Jonas Smedegaard dr at jones.dk
Tue Jan 29 14:23:48 GMT 2019 

Quoting Xavier (2019-01-29 07:41:40)
> Le 28/01/2019 à 18:45, Jonas Smedegaard a écrit :
> > Source: popper.js
> > Version: 1.14.6+ds-1
> > Severity: serious
> > Justification: Policy 2.1
> > 
> > Source package contains several files (seemingly all of them) below
> > <dist/> which does not exist in upstream version tracking and therefore
> > are not in the form preferred upstream, and more importantly may include
> > other code than the actual source below <packages/>.
> > 
> >  - Jonas
> 
> Upstream author does provide dist/* files in release commits (example: 
> https://github.com/FezVrasta/popper.js/commit/b1144cdbcb5b5ab20d281a6083ecdce475a54af1) 
> and remove them from master at next commit.

Yes, upstream ships pre-generated code.

Sorry that I was sloppy and my initial email could be read as "this bug 
is that upstream did not at all commit those files to git" - what I 
meant to say is "this bug is that upstream seems to not intend for those 
files to be their preferred form for their own source editing".


> This generated files are readable javascript files, unminified and 
> well commented (a sort of webpack of packages/* files).

Yes, pre-generated code is readable (a.k.a. beautified not minified).

Readability of pre-generated code is irrelevant for this bug.  What is 
relevant is that source is provided for everything we distribute.

Simplest way to ensure that is to not include pre-generated code with 
source.

There are other ways too, but looking for loopholes is _more_ complex 
and _easier to do wrong.


> To reproduce build, many dependencies are needed. So the choices are:
>  - doing nothing, twitter-bootstrap4 will be removed from buster with
>    all its reverse dependencies
>  - package many new modules (I've no time to do this)
>  - decrease this severity issue

Yes, reproducing upstream build is likely too complex.

There are other options, however:

 - stitch things together in a creative new way
 - roll back to an earlier release with less complex build routines


> NB: upstream build can be reproduce only using yarnpkg, failed with npm:
>   $ yarnpkg install
>   $ yarnpkg build

I fail to see how it is relevant for this bug: We use deb _instead_ of 
either of those packaging systems!

(a _helper_ tool like npm2deb might have been handy and might fail here, 
but that is unrelated to this bug)


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20190129/cb7fbc4b/attachment-0001.sig>

More information about the Pkg-javascript-devel mailing list