Hello, Am Donnerstag, dem 20.04.2023 um 11:57 +0200 schrieb Paul Gevers: > Control: tags -1 moreinfo > > Hi, > > On Mon, 10 Apr 2023 23:55:44 +0200 Markus Koschany <a...@debian.org> wrote: > > This unblock is related to #1034127 and the unblock of rhino. > > rhino is now unblocked.
Thank you. > > > The main reason for > > upgrading from 3.6.1 to 3.6.2 was to include missing Javascript files > > which are needed to run the web / desktop application of openrefine. > > I *think* you are abusing missing-sources. Quoting policy [1]: > """ > Sometimes upstream does not include the source code for some files in > the upstream tarball. In order to satisfy the DFSG for packages in main > or contrib, you should either: > > repack the upstream tarball to include those sources; or > > include a copy of the sources in the debian/missing-sources directory. > """ > But you are *installing* those missing sources. In version 3.5.x upstream included all Javascript files in the original source tarball but also shipped some minified files without the unminified sources. I kindly asked them to change that. They then decided to remove third party Javascript files completely and download them separately with npm while building their own version of openrefine. I didn't have the chance to discuss this change with them yet and how they want to distribute those third party Javascript files in the future. Since I already followed the Debian Policy and included the missing sources in debian/missing-sources, I felt that shipping the 3rdparty directory in debian/missing-sources/3rdparty would be a good intermediate solution. If you insist I can repack the tarball, add the 3rdparty directory and remove it from debian/missing-sources but in the end it would not make any difference. The debdiff and the functionality would be the same. I feel such a change could be postponed for the next release cycle when I know upstream's thoughts. > On top of that, you are > shipping yet another copy of e.g. jquery.js [2]. Please, if remotely > possible, use bin:libjs-jquery (and similar for the other dependencies) > instead. Openrefine is a desktop application which only runs on your own computer. Openrefine is not affected by any possible security vulnerabilities in jquery or any other Javascript library hence why it is more beneficial to use a local copy that is closely integrated and tested with Openrefine. The risk of breaking the application whenever the system library changes is much higher. If you insist I can depend on libjs-jquery and replace the local copy with a symlink but I feel this would be an example of over-engineering without any real value to our users in this specific case. Regards, Markus
signature.asc
Description: This is a digitally signed message part
