Package: python3-nbconvert
Version: 6.1.0-1
Severity: important
Dear Maintainer,
When converting Notebooks to HTML (or derived), invalid URLs for
javascript libraries. For example, the MathJax library is specified to
be at
file://usr/share/javascript/mathjax/MathJax.js
This is _not_ a valid file URL. File URLs have exactly _one_ or _three_
leading slashes
file:/usr/share/javascript/mathjax/MathJax.js
file:///usr/share/javascript/mathjax/MathJax.js
This substitution from upstream happens in the patch
`0004-privacy-breaches.patch`,
and applies to **require-js**, **jQuery**, and **MathJax**. At a minimum,
please fix these URLs.
It is potentially a _big_ problem for users that by default the javascript
libraries are picked up from the local filesystem instead of from remote CDN.
If I export my Notebook to say slides with hardcoded local filesystem URLs,
then
- a client of mine may not be able to correctly use those slides because
she does not have the javascript libraries at the same location
- someone malicious could have installed malware version of the
javascript libraries on the clients computer, so that when she opens
my slides she will become exposed. Sure, the CDN may also be
compromised, and we can never completely guard against these things,
but in all likeliness such a breach would quickly be discovered and
remedied.
- nbconvert assumes specific versions (or range of versions) of the
libraries. If a javascript library is updated on the system in a
normal upgrade process it could break the slides. For example,
nbconvert assumes MathJax version 2, but likely MathJax version 3 will
it Debian in not too long. When that happens all notebooks exported
using the patched templates will be broken.
- Finally, it is not what most users would expect.
For **require-js** and **jQuery** there are workarounds in that one can
specify specific URLs for nbconvert. However, the URL for MathJax is
hard-coded in the templates and is not changable via the API or CLI.
Please consider to _not_ patch these URLs in the templates. It seriously
tampers with usability of the package. Thank you.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.14.0-4-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages python3-nbconvert depends on:
ii python3 3.9.7-1
ii python3-bleach 4.1.0-1
ii python3-defusedxml 0.7.1-1
ii python3-entrypoints 0.3-8
ii python3-jinja2 3.0.1-2
ii python3-jupyter-core 4.9.1-1
ii python3-jupyterlab-pygments 0.1.2-7
ii python3-mistune 0.8.4-5
ii python3-nbclient 0.5.5-1
ii python3-nbformat 5.1.3-1
ii python3-pandocfilters 1.4.3-1
ii python3-pygments 2.7.1+dfsg-2.1
ii python3-testpath 0.5.0+dfsg-1
ii python3-traitlets 5.1.1-1
Versions of packages python3-nbconvert recommends:
ii pandoc 2.9.2.1-1+b2
ii python3-jupyter-client 7.0.6-2
Versions of packages python3-nbconvert suggests:
pn python-nbconvert-doc <none>
ii texlive-fonts-recommended 2021.20210921-1
ii texlive-plain-generic 2021.20210921-1
ii texlive-xetex 2021.20210921-1
-- no debconf information
--
Christian Holm Christensen -------------------------------------------------
Sankt Hans Gade 23, 4, DK-2200 Copenhagen
http://cern.ch/cholm, +4524618591
