[Pkg-roundcube-maintainers] Bug#978073: src:roundcube: closure-compiler and yui-compressor are of questionable quality

Jonas Smedegaard dr at jones.dk
Fri Dec 25 13:55:00 GMT 2020 

Package: src:roundcube
Version: 1.4.9+dfsg.1-1
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Build routines use the compressors closure-compiler and yui-compressor,
not because upstream is tightly integrated with those but as deviation
with Debian.

Many years ago, before Nodejs entered Debian, those were the only
options in Debian for compressing JavaScript and CSS.

Nowadays, however, they are not as active and quite likely less
performant as newer alternatives.

For JavaScript, I recommend to replace this:

  closure-compiler --compilation_level=SIMPLE_OPTIMIZATIONS --js="$$0" --language_in=ECMASCRIPT5 --js_output_file="$${0%.js}.min.js"

...with something like this (untested):

  uglifyjs --compress --mangle --source-map "base='\''$$(dirname "$$0")'\'',url='\''$$(basename "$$0").map'\''" --output "$${0%.js}.min.js" -- "$$0"

...and build-depend on uglifyjs (>= 3).

Alternatives include uglifyjs.terser and esbuild.

Terser is a fork of UglifyJS supporting newer dialects of JavaScript
(which I guess is unneeded here), has a larger tree of
build-dependencies (i..e higher risk of getting entangled with testing
migrations, and higher risk of falling behind newest upstream releases -
it is currently 1.5 years behind).

esbuild is written in Go and should be extremely fast.  That's really
all I know about it at this time...


For CSS, I recommend to replace this:

  yui-compressor --type css -o ".css$$:.min.css" -- {}

...with this (untested):

  sh -c 'exec sassc --style compressed --sourcemap "$$0" "$${0%.js}.min.js"' {}

...and build-depend on sassc.

There are no doubt alternatives, but I am not aware of them.


Both these proposed replacements as a bonus generate "map" files, that
are helpful for debugging, without getting in the way of normal use.


In addition to compressing the code _structure_, I recommend to also
install JavaScript and CSS files precompressed with gzip and brotli.

I propose to look at the debian/rules rile in the source package
libjs-sdp for a compact way to handle that.  Specifically the "%.gz"
target, having target "override_dh_auto_build" depend on all *.gz files,
and the final magic target ".SECONDARY:".

To use that approach you will need to restructure to (generate CSS and)
compress files in separate targets instead of in the install target,
which in my opinion ought to be corrected anyway: it really is build
rules, not install rules!


 - Jonas

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl/l7zIACgkQLHwxRsGg
ASFWWRAAk1RuSjy17/J0s7bXYoNXx2JQ53zId+Cg9GSmo87+8jhzvg8rlwLMWHV1
OHy/ALrex1t3RVOSacCy/Jzq93sooNgvfhzJt84kVrDRrbIvsuj55JASsLFHDyCZ
uZSGIB+v8jAaNiVXE7QvJ/uN/b+o65qyV72rOW9vEEr4/RVG1vaYeeeY3k3OApI1
my7GSRHXLil7bhlzLSleFTPErW1/uoniNEzPIM+FL3ykp7KLSQvCWk7GlTx1c9vk
lAq4SUpLILAwMmm2E+GM+p00Xdb/TZZ25UTze7Fobsn8THRHh+aKZtLkLb8vAftS
Gs93ZbP4ewYvcq/+ch9gaxQ/m9wruwQwqjj9JPiYWQcNPkimkSQJWV/mhLPr2x2M
WhyH+2yKIjX0tqd02nzRUOpFR8XRN6YdhlNQVdwXylSnyt0XXSJdDSUMC7yikbLr
TlyKULTUODD+DtjEfERx9fIEmzA5AvH0D+mGlAfb6LqvcrlzazIF3wjd/dnRQZTW
Htgx63sSOKZsaketxu9tGhBFMBqliRSUGSu5XRxtJx6sy6/n3XhgNhPjVhOBgd2k
fbI6QLWG/q85Yf/wVgGSxKSdGa3CRF3Pd4wHMZgulGrrQ5ASr9wzIe2ZIPh8soB0
VYbdMm2nNP8YEY3aqmQH/hGda68BUCsG0kvs4372q0uRAnHyMSo=
=pJIt
-----END PGP SIGNATURE-----

More information about the Pkg-roundcube-maintainers mailing list