Hi Gianfranco, Quoting Gianfranco Costamagna (2014-10-29 13:41:30) > I'm stuck with this jquery problem, and I don't know the best solution > for it. > > Doxygen creates and embeds a patched jquery version (why they don't > extend jquery in another file or rename it to avoid clashes is obscure > to me), then symlink can result in a broken documentation. > > Many sponsors doesn't sign a package with a lintian warning/error such > as "embedded jquery minified version" or so, and so I started making > packages with a dh_linktree jquery symlink (I know this is bad, and > this is the reason of why I'm here). > > So I would like to know what is the best way to solve it, I'm open to > avoid all the symlinks in my packages that are currently: > -casablanca (new queue) > -websocketpp > -libsdl2-gfx > -lucene++ > > (maybe others I don't recall now) > > But I would like to do it after knowing what is the best solution for > the problem [1]. > > Shipping minified js is considered a security issue, even for doc > package, and the bug seems likely in doxygen rather than in packages > using it, and patching lintian is an open bug [2] :) > > > References I found by googling (and with thanks to some of my mentors) > > [1] https://lists.debian.org/debian-mentors/2012/11/msg00310.html > [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736360
For the source package I believe you should either... a) ensure that the code is truly the code that it claims to be (filename "jquery-1.2.3" quite arguably is not adequate ensurance that it contains unaltered version 1.2.3 of jQuery). This can be difficult to ensure - one way is to build-depend on believed-to-be-same code, and check that content is identical (which may involve re-serialization of content). b) repackage upstream source to not redistribute with Debian code which is uncertain what it really is. For the source package I believe you should either... a) Recommend jquery, and patch your code to link against it. This can be difficult: If you use /javascript/... as path it will only work when served by a webserver supporting such indirection (e.g. by use of javascript-common). If instead you use /usr/share/javascript/... as path it will only work when offline or served by a webserver supporting such indirection (currently no package handles that out of the box). b) Depend on jquery, and symlink it from where your code expects it. I don't follow why using a symlink is bad - if only you ensure to not have broken symlink, by depending on (not recommending) the jquery package. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature