Your message dated Sun, 09 Jan 2022 15:04:51 +0000 with message-id <[email protected]> and subject line Bug#999796: fixed in nbconvert 6.3.0-1 has caused the Debian Bug report #999796, regarding python3-nbconvert: Invalid URLs specified for javascript libraries and potential severe problem for users to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 999796: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999796 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: python3-nbconvert Version: 6.1.0-1 Severity: important Dear Maintainer, When converting Notebooks to HTML (or derived), invalid URLs for javascript libraries. For example, the MathJax library is specified to be at file://usr/share/javascript/mathjax/MathJax.js This is _not_ a valid file URL. File URLs have exactly _one_ or _three_ leading slashes file:/usr/share/javascript/mathjax/MathJax.js file:///usr/share/javascript/mathjax/MathJax.js This substitution from upstream happens in the patch `0004-privacy-breaches.patch`, and applies to **require-js**, **jQuery**, and **MathJax**. At a minimum, please fix these URLs. It is potentially a _big_ problem for users that by default the javascript libraries are picked up from the local filesystem instead of from remote CDN. If I export my Notebook to say slides with hardcoded local filesystem URLs, then - a client of mine may not be able to correctly use those slides because she does not have the javascript libraries at the same location - someone malicious could have installed malware version of the javascript libraries on the clients computer, so that when she opens my slides she will become exposed. Sure, the CDN may also be compromised, and we can never completely guard against these things, but in all likeliness such a breach would quickly be discovered and remedied. - nbconvert assumes specific versions (or range of versions) of the libraries. If a javascript library is updated on the system in a normal upgrade process it could break the slides. For example, nbconvert assumes MathJax version 2, but likely MathJax version 3 will it Debian in not too long. When that happens all notebooks exported using the patched templates will be broken. - Finally, it is not what most users would expect. For **require-js** and **jQuery** there are workarounds in that one can specify specific URLs for nbconvert. However, the URL for MathJax is hard-coded in the templates and is not changable via the API or CLI. Please consider to _not_ patch these URLs in the templates. It seriously tampers with usability of the package. Thank you. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.14.0-4-amd64 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages python3-nbconvert depends on: ii python3 3.9.7-1 ii python3-bleach 4.1.0-1 ii python3-defusedxml 0.7.1-1 ii python3-entrypoints 0.3-8 ii python3-jinja2 3.0.1-2 ii python3-jupyter-core 4.9.1-1 ii python3-jupyterlab-pygments 0.1.2-7 ii python3-mistune 0.8.4-5 ii python3-nbclient 0.5.5-1 ii python3-nbformat 5.1.3-1 ii python3-pandocfilters 1.4.3-1 ii python3-pygments 2.7.1+dfsg-2.1 ii python3-testpath 0.5.0+dfsg-1 ii python3-traitlets 5.1.1-1 Versions of packages python3-nbconvert recommends: ii pandoc 2.9.2.1-1+b2 ii python3-jupyter-client 7.0.6-2 Versions of packages python3-nbconvert suggests: pn python-nbconvert-doc <none> ii texlive-fonts-recommended 2021.20210921-1 ii texlive-plain-generic 2021.20210921-1 ii texlive-xetex 2021.20210921-1 -- no debconf information -- Christian Holm Christensen ------------------------------------------------- Sankt Hans Gade 23, 4, DK-2200 Copenhagen http://cern.ch/cholm, +4524618591
--- End Message ---
--- Begin Message ---Source: nbconvert Source-Version: 6.3.0-1 Done: Gordon Ball <[email protected]> We believe that the bug you reported is fixed in the latest version of nbconvert, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Gordon Ball <[email protected]> (supplier of updated nbconvert package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 09 Jan 2022 14:03:53 +0000 Source: nbconvert Architecture: source Version: 6.3.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <[email protected]> Changed-By: Gordon Ball <[email protected]> Closes: 995885 999796 1001283 1002372 Changes: nbconvert (6.3.0-1) unstable; urgency=medium . [ Julien Puydt ] * New upstream release (Closes: #995885). * Refresh patches. * Add new b-dep. * Remove Built-Using field from -doc package in d/control. * Add missing autopkgtest dep. * Rework 0004-privacy-breaches.patch: - use file:/// instead of file:// ; - accept the breach for mathjax so the produced documents don't break for users until upstream makes it easier to deal with (Closes: #999796). . [ Gordon Ball ] * Vendor mistune 0.8.4 due to incompatibility with mistune 2 (Closes: #1001283, #1002372) * Set nbsphinx_allow_errors in sphinx conf * Skip tests related to ipywidgets 7 Checksums-Sha1: ad2860da4079d17eabd9ca991f6eba7d7789979e 2778 nbconvert_6.3.0-1.dsc abbdbc418dc652fc75745a0e802ded768d512961 816383 nbconvert_6.3.0.orig.tar.gz 30af6cef43a284a13208a28a5e56c0424073ae8b 84216 nbconvert_6.3.0-1.debian.tar.xz e4aaf41dcca50dd2677a9b5b0fff60bfac593dfe 8432 nbconvert_6.3.0-1_source.buildinfo Checksums-Sha256: eb6ddd725f7e92cbf6a93083ac74feb9ec02490bcc66f718e4ad7135f7ab9fc0 2778 nbconvert_6.3.0-1.dsc 3c2b17b0d0530262e1e18f800e96344d931aea13a29f311f083edcf1917e13e7 816383 nbconvert_6.3.0.orig.tar.gz 48cce66c32a39f57dec097df18aa7026107fe90e34acab7ca11759932ba03635 84216 nbconvert_6.3.0-1.debian.tar.xz 84691b9396fe45e11d1b7fb9aafa16e6dafd5f501889fd5e4110d8e6a8d70593 8432 nbconvert_6.3.0-1_source.buildinfo Files: 1b751f8146119cc5e823789aa882dd53 2778 python optional nbconvert_6.3.0-1.dsc f1724c25e84706edf2e3f9651cc75b2b 816383 python optional nbconvert_6.3.0.orig.tar.gz 3f7ca3c9bf97538ae10ea9b71158a9e9 84216 python optional nbconvert_6.3.0-1.debian.tar.xz 12478d2437084419dbb1fd1a61228a3a 8432 python optional nbconvert_6.3.0-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE6PwpXIa418BJ+Xuno12v+60p6N4FAmHa9ngACgkQo12v+60p 6N537w//fPsTCvvYLLtsa3fNMNtP2QAza5th63sJXP9IyVHL+7ZGBOrWrPPwEU8W VCuGi/r4ZALmGiSbXf1oJ21Z7DD6t2hMRTwPegh5PbpAdvemIjtfrWy+hVRHcWQB RExxydcLyAPhtPWARnXqw1FWGthmfSivDytclW84uiIYRHDLJ6iwQUfsO4BogA4B EpqatWu5aD8oZAYRezMKv3hqhR5Iks9iqpas6aHUH+tQPzR2DYSyAi28ajnSuq91 kR33c5idUuetteALsdWYLMKo2YgECdfpSjmTHFvzS2j+MlMjx+8NmV+79GVHOAX8 p1sU5mk6R1oRxw93vpPG9H3z10Perg2jR5+w9htG3+IMCd4tazIPHWoFse0AXg82 YmKuULndFbRwQrk0VpM1xJfrrbJojl6iEW+gr/xWraZ0SYIa7wv0/aloj7qvL5DF 9q1jF1MastDF4qd7CmMhcQ/WZ2xyiIjekS0r5e+ccgwireNkHAdnExjEmKtTrQAa McHEwskWPsIaNrdl+EDLiS4I7szcbOIDFisdHpAc+ty9vS6TGrC60wC1j1dqyjXd HvLNUMFy04VEbdRqoBRcaZ5ii0741gHgubVWsZM8qXL7i6Jub1hsJuJjgopdIX20 KVwt2ILq9UTxIq+LFT06KSXnS3WQFUwAq5LJ9gIvKkZZFpDqgyg= =JVy0 -----END PGP SIGNATURE-----
--- End Message ---
