Package: python3-nbconvert Version: 6.1.0-1 Severity: important Dear Maintainer,
When converting Notebooks to HTML (or derived), invalid URLs for javascript libraries. For example, the MathJax library is specified to be at file://usr/share/javascript/mathjax/MathJax.js This is _not_ a valid file URL. File URLs have exactly _one_ or _three_ leading slashes file:/usr/share/javascript/mathjax/MathJax.js file:///usr/share/javascript/mathjax/MathJax.js This substitution from upstream happens in the patch `0004-privacy-breaches.patch`, and applies to **require-js**, **jQuery**, and **MathJax**. At a minimum, please fix these URLs. It is potentially a _big_ problem for users that by default the javascript libraries are picked up from the local filesystem instead of from remote CDN. If I export my Notebook to say slides with hardcoded local filesystem URLs, then - a client of mine may not be able to correctly use those slides because she does not have the javascript libraries at the same location - someone malicious could have installed malware version of the javascript libraries on the clients computer, so that when she opens my slides she will become exposed. Sure, the CDN may also be compromised, and we can never completely guard against these things, but in all likeliness such a breach would quickly be discovered and remedied. - nbconvert assumes specific versions (or range of versions) of the libraries. If a javascript library is updated on the system in a normal upgrade process it could break the slides. For example, nbconvert assumes MathJax version 2, but likely MathJax version 3 will it Debian in not too long. When that happens all notebooks exported using the patched templates will be broken. - Finally, it is not what most users would expect. For **require-js** and **jQuery** there are workarounds in that one can specify specific URLs for nbconvert. However, the URL for MathJax is hard-coded in the templates and is not changable via the API or CLI. Please consider to _not_ patch these URLs in the templates. It seriously tampers with usability of the package. Thank you. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.14.0-4-amd64 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages python3-nbconvert depends on: ii python3 3.9.7-1 ii python3-bleach 4.1.0-1 ii python3-defusedxml 0.7.1-1 ii python3-entrypoints 0.3-8 ii python3-jinja2 3.0.1-2 ii python3-jupyter-core 4.9.1-1 ii python3-jupyterlab-pygments 0.1.2-7 ii python3-mistune 0.8.4-5 ii python3-nbclient 0.5.5-1 ii python3-nbformat 5.1.3-1 ii python3-pandocfilters 1.4.3-1 ii python3-pygments 2.7.1+dfsg-2.1 ii python3-testpath 0.5.0+dfsg-1 ii python3-traitlets 5.1.1-1 Versions of packages python3-nbconvert recommends: ii pandoc 2.9.2.1-1+b2 ii python3-jupyter-client 7.0.6-2 Versions of packages python3-nbconvert suggests: pn python-nbconvert-doc <none> ii texlive-fonts-recommended 2021.20210921-1 ii texlive-plain-generic 2021.20210921-1 ii texlive-xetex 2021.20210921-1 -- no debconf information -- Christian Holm Christensen ------------------------------------------------- Sankt Hans Gade 23, 4, DK-2200 Copenhagen http://cern.ch/cholm, +4524618591