[Pkg-monitoring-maintainers] Bug#736104: [Ganglia-developers] ganglia-web package at risk
Daniel Pocock
daniel at pocock.com.au
Mon Mar 3 18:25:39 UTC 2014
On 04/02/14 14:56, Daniel Pocock wrote:
> On 04/02/14 14:47, Chris Burroughs wrote:
>> I thought the distro anti-bundling stance was paired with a "we
>> already have X so you should just depend on it". I'm not sure how
>> this works with javascript. Is there some debian "jquery package"
>> that could be depended on?
>
> There is a jQuery package in Debian, but it is a slightly older version
>
> There are various issues that motivate these rules/policies in
> distributions:
>
> - disk space
>
> - security updates (better to just have one copy of X to update in one
> shot, hard to find multiple bundled copies of X and check they all have
> the latest/necessary security patches)
>
> - source - bundling any minified artifact is not consider to be real
> source code
>
> That said, given that every project seems to depend on a different
> version of jQuery, there is some leniency - Debian accepts bundled
> copies of some things like jQuery as long as they are not minified. It
> is perfectly OK to minify them in an installation script, but the source
> tarball from the Ganglia web site must be 100% readable source code.
>
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736104
I had a quick look at this and found that the jquery-ui stuff is not
cleanly available as source because of the way it is built as a custom
JavaScript file using the tool here:
https://jqueryui.com/download
so it is not a quick fix for me to simply drop in uncompressed JavaScript.
What can be done is that instead of using the "custom" method to get
jquery-ui, perhaps the full source from here:
https://jqueryui.com/resources/download/jquery-ui-1.10.4.zip
can be downloaded into the ganglia-web repository (including both the
minified and the human readable version) and then the full minified .js
file (rather than a custom.min.js file) can be used within ganglia-web
Are the ganglia-web developers happy to support that version of
jquery-ui? Is there any reason the custom version has to be used?
The package has now taken the first step towards being completely
dropped from Debian and Ubuntu:
http://packages.qa.debian.org/g/ganglia-web.html
so it is important that we agree on a solution for 3.5.13 or it will be
completely missing from the upcoming Ubuntu "trusty" release and the
Debian 8 release early next year.
Regards,
Daniel
More information about the Pkg-monitoring-maintainers
mailing list