On Monday 07 March 2016 03:59 PM, Jonas Smedegaard wrote: > Thanks for your clarifications - they seem to confirm that you were, > and still intend to be, pragmatic - e.g. track the real upstream only > when strongly encouraged to do so. >
I don't think there is much benefit to enforce this rule for every case than increase the burden of maintaining already challenging rails packages. There is neither duplication of code, nor bit rot here. The js code is separated as its own package and the its corresponding rubygem is regularly updated. In case of rails-assets-* gems, they are auto-generated from their bower packages and the security concern would be only about rails-assets.org service. In case of diaspora, the rails-assets-* (there are more wrapper packages than this) packages it needs are, ruby-rails-assets-diaspora-jsxc (>= 0.1.4~), ruby-rails-assets-jquery-colorbox (>= 1.6.3~), ruby-rails-assets-favico.js (>= 0.3.9~dfsg-2~), ruby-rails-assets-jquery-fullscreen-plugin, ruby-rails-assets-jquery, ruby-rails-assets-markdown-it (>= 5.0.2~), ruby-rails-assets-markdown-it-hashtag (>= 0.4.0~), ruby-rails-assets-markdown-it-diaspora-mention (>= 0.4.0~), ruby-rails-assets-markdown-it-sanitizer (>= 0.4.1~), ruby-rails-assets-markdown-it--markdown-it-for-inline, ruby-rails-assets-markdown-it-sub, ruby-rails-assets-markdown-it-sup, ruby-rails-assets-highlightjs (>= 8.9.1~), ruby-rails-assets-jeresig-jquery.hotkeys (>= 0.2.0-3~), ruby-rails-assets-jquery-idletimer, ruby-rails-assets-jquery-placeholder (>= 2.1.3~), ruby-rails-assets-jquery-textchange, ruby-rails-assets-perfect-scrollbar (>= 0.6.7~), ruby-rails-assets-perfect-scrollbar (<< 0.7), ruby-rails-assets-jakobmattsson-jquery-elastic, Out of the 20 packages listed here, 9 of the corresponding js packages have only the ruby-rails-assets as reverse dependencies. ruby-rails-assets-jquery-colorbox some and ruby-rails-assets-jquery has many reverse dependencies. Others are likely to be used by diaspora only. If someone volunteers to package original upstream, I'd be happy to use them instead.
signature.asc
Description: OpenPGP digital signature