[Pkg-javascript-devel] Bug#920749: Bug#920749: popper.js: contains generated code uncertain if fully included as source

Xavier yadd at debian.org
Tue Jan 29 14:41:56 GMT 2019


Le 29/01/2019 à 15:23, Jonas Smedegaard a écrit :
> Quoting Xavier (2019-01-29 07:41:40)
>> Le 28/01/2019 à 18:45, Jonas Smedegaard a écrit :
>>> Source: popper.js
>>> Version: 1.14.6+ds-1
>>> Severity: serious
>>> Justification: Policy 2.1
>>>
>>> Source package contains several files (seemingly all of them) below
>>> <dist/> which does not exist in upstream version tracking and therefore
>>> are not in the form preferred upstream, and more importantly may include
>>> other code than the actual source below <packages/>.
>>>
>>>  - Jonas
>>
>> Upstream author does provide dist/* files in release commits (example: 
>> https://github.com/FezVrasta/popper.js/commit/b1144cdbcb5b5ab20d281a6083ecdce475a54af1) 
>> and remove them from master at next commit.
> 
> Yes, upstream ships pre-generated code.
> 
> Sorry that I was sloppy and my initial email could be read as "this bug 
> is that upstream did not at all commit those files to git" - what I 
> meant to say is "this bug is that upstream seems to not intend for those 
> files to be their preferred form for their own source editing".
> 
> 
>> This generated files are readable javascript files, unminified and 
>> well commented (a sort of webpack of packages/* files).
> 
> Yes, pre-generated code is readable (a.k.a. beautified not minified).
> 
> Readability of pre-generated code is irrelevant for this bug.  What is 
> relevant is that source is provided for everything we distribute.
> 
> Simplest way to ensure that is to not include pre-generated code with 
> source.
> 
> There are other ways too, but looking for loopholes is _more_ complex 
> and _easier to do wrong.
> 
> 
>> To reproduce build, many dependencies are needed. So the choices are:
>>  - doing nothing, twitter-bootstrap4 will be removed from buster with
>>    all its reverse dependencies
>>  - package many new modules (I've no time to do this)
>>  - decrease this severity issue
> 
> Yes, reproducing upstream build is likely too complex.
> 
> There are other options, however:
> 
>  - stitch things together in a creative new way
>  - roll back to an earlier release with less complex build routines
> 
> 
>> NB: upstream build can be reproduce only using yarnpkg, failed with npm:
>>   $ yarnpkg install
>>   $ yarnpkg build
> 
> I fail to see how it is relevant for this bug: We use deb _instead_ of 
> either of those packaging systems!
> 
> (a _helper_ tool like npm2deb might have been handy and might fail here, 
> but that is unrelated to this bug)

Hello,

kapouer found a way to fix this (built with node-buble). Closed now.
Could you review twitter-bootstrap4 now ?

Cheers,
Xavier



More information about the Pkg-javascript-devel mailing list