micah <mi...@debian.org> writes: > The spin.min.js, prettify.js, don't seem to have a license attached to > them
I've worked on repacking the upstream source to remove the .min.js files, and the .swf... the .swf appears to be just a convenience clipboard function that makes copying text easier, I bet it will function fine without it, but I will test it. >> share/doc/build/html/_static/jquery.js > > libjs-jquery in debian unstable is 1.7.2 and this appears to be the > version that is in this file, a diff of the debian packaged version and > this file produces no results. So this could easily be removed and > repacked and the package could instead depend on libjs-jquery. Actually, the package already depends on libjs-jquery and I see in the debian/rules file that you are already removing the file and then symlinking the packaged version. Did you forget that this was done, or was there something else you were wanting to point out with this when you mentioned it? >> share/doc/build/html/_static/underscore.js > > this file purports to be underscore.js version 1.4.4, and debian has > libjs-underscore 1.4.4, a diff between these two produces no results, so > just like libjs-jquery, this could be replaced by the package. Same thing as above, the debian/rules file handles it, and we depend on the package properly. >> share/server/coffee-script.js > > the file says it is 1.2.0, debian has 1.4.0, personally I think that > depending on the newer package and seeing if it causes any trouble would > be a reasonable approach As for CoffeeScript, we could unbundle it, but if we differ from what upstream ships we could confuse people. I vote for leaving this version embedded, noting it in the embedded code copies list for debian security, and I'll talk to upstream about updating their version to be 1.4.0 so we can unbundle it in the future. >> share/www/fauxton/js/require.js > > I found node-requirejs in debian, but if you install it, you will > install the entire libv8 library and nodejs... it does look like the > same javascript, although different versions, and the couchdb one > appears to have some couchdb specific things in it, so I would be > inclined to continue to use the embedded one, and noting it in the > security repository upstream reports that require.js is different from node-requirejs, you can’t replace one with the other. I dont see any reason why we can't include this in the package, its properly licensed and falls under the DFSG. I can't find any other place on the internet that is distributing it, so I think we should use this as is. I'll ask upstream to see if there is some other source for it. >> share/www/script/jquery-ui-1.8.11.custom.min.js > > this appears to just be an older version of libjs-jquery-ui's > /usr/share/javascript/jquery-ui/ui/jquery-ui.custom.min.js and we could > probably use the packaged version I removed it with the other removals of .min.js files. I added a dependency on the libjs-jquery-ui package and made the remove_minified_jquery patch use the packaged version instead. >> src/fauxton/assets/js/libs/spin.min.js > > I didn't find a package for this, but it looks pretty small... I removed it from the repack, but there is no non-minified version, so I'll need to ask upstream to include it. >> src/fauxton/assets/js/plugins/prettify.js > > didn't find a package for this either... I think this can stay in the package, its an embed of https://code.google.com/p/google-code-prettify/ but it isn't packaged in debian, so we can just note it in the embedded code copies tracker. >>> Also please realize that upstream includes several other projects in >>> the source tarball. Like the packaged ones: src/ibrowse/ , src/snappy >>> and the not yet packaged one: src/mochiweb [1]. There are more, these >>> were just examples. > > Yes, perhaps we can try to remove the ones that are packaged and depend > on the packages and see how things work (or not). I spoke to upstream about some of these. the included ibrowse has important differences from upstream and should not be replaced by the packaged version in debian. The difference is that the upstream ibrowse has a privacy leakage problem when couchdb replication happens over tor hidden services. The ibrowse included in couchdb supports socks5 and doesn't have the privacy leakage. Upstream did file an issue with ibrowse, and one part was fixed, but not the other. I will follow-up with upstream to see if they are chasing this around. Once it has been resolved, this can be unbundled... but until then, we should note it in the embedded code copies list. mochiweb in couchdb has a patch to ensure it works in all timezones that upstream mochiweb still suffers from. They think they filed an issue upstream with this, but I will chase them around about this. I think this too can be embedded, when noted. the rest do not seem to be packaged, and seem to be couchdb specific, with the exception of erlang-oauth and snappy. I'll note these as embedded code copies which are not packaged in debian. So, in summary, the following needs to be done before 1.6.0 can be uploaded to debian: . test the removal of the .swf, and talk with robertkowalski about the building the source of the .swf . note coffeescript embedded code copy . test the removal of the jquery-ui (we are using 1.10.1 instead of couchdb's 1.8) . note the embed of https://code.google.com/p/google-code-prettify . note the embed of ibrowse . note the embed of mochiweb . note embed of erlang-oauth and snappy (not packaged in debian) and then the following are the things that need to be done for the future and I do not think block the upload of the package: . ask upstream to upgrade coffeescript to 1.4.0 so we can unbundle it . ask upstream if there is some source for require.js . ask couchdb to upgrade to 1.10.1 of jquery-ui and ship the non-minified versions as well . ask upstream to include a non-minified version of spin.min.js . ask upstream if the ibrowse leakage issue is being tracked . ask upstream if there is a mochiweb timezone issue being tracked -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
