Bug#657405: mediagoblin: no more missing dependencies
Just a note about embedded code copies: Embedded code copies should be avoided, but the policy does not use the words "must not" here. In some cases it is difficult to avoid them and they may be tolerated for some time. As long as mediagoblin is the only package using it, there is at least not the problem of code duplication, but Debian must be aware of the code, so that one can react on security issues. The testing security team maintains a list of embedded code copies for this purpose: https://anonscm.debian.org/viewvc/secure-testing/data/embedded-code-copies?view=co I suggest to file a bug against mediagoblin about any embedded code copies and send the bug numbers as reference to secure-testing-t...@lists.alioth.debian.org. See https://wiki.debian.org/EmbeddedCodeCopies -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#657405: mediagoblin: no more missing dependencies
On Mon, Oct 13, 2014 at 11:33:11PM -0400, Simon Fondrie-Teitler wrote: > I should have posted that 0.6.1 is now in new (thanks Asheesh!). > https://ftp-master.debian.org/new/mediagoblin_0.6.1+dfsg1-1.html That is great news indeed! Thanks Asheesh! > In terms of Jessie, I'm actually not aiming to get it in, and either > Asheesh or I will probably file an RC bug to prevent it from migrating > to testing. Upstream is not planning on supporting either 0.6.1 or 0.7.1 > for the next few years, and I can't commit to providing security > support. I do welcome the thoughts of others on this issue though. Has the upstream indicated that they plan on doing long term support on some later version? If so, then OK, I agree it might be good idea to wait for that (even if we miss Jessie). If not, then I'd assume it would be like with vast majority of other packages - only last version ever gets fixes ("perpetual development" model). If you're lucky, some packages have a practice that the most important fixes might be released as new point release (or two) for last "stable" version, but that support (when available) is also usually measured in at most months, and certainly not years. If the current development model of mediagoblin is any indication of future, it will follow the same path: you'll get minor bugfix from 0.6.0 to 0.6.1, but next one will be major 0.7.0, and after that it would be end of support for 0.6.x. Same will probably be with 0.7.0 -> 0.7.1 -> 0.8.0, etc. What am I getting at, is that most packages work that way (without providing LTS), and yet they're readily available in Debian Testing and Stable. Blocking mediagoblin until upstream commits to LTS would probably result in mediagoblin never getting into stable, which I think would be great shame, as I think (especially due to its distributed nature) mediagoblin would suffer greatly if it is not available easily as prepared package in distributions - most people will never even consider "wget/unpack/get and build dependencies/compile/install" route. So I'd ask Asheesh and you to reconsider allowing mediagoblin in Jessie. If there are any (security or otherwise) bugs you think are preventing it NOW from entering testing, by all means do voice your concerns, so others (like myself) might try to help. But I do not think abstract fear of the possible future should be RC bug... And if/when security bugs happen later in the cycle, I'd like to help too. I'm no great python hacker (perl is more of my forte), but I do manage around, and I think I could be of help backporting security fixes if needed. But, as words are cheap, I'll show some git work on mediagoblin in next week. -- Opinions above are GNU-copylefted. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#657405: mediagoblin: no more missing dependencies
Matija Nalis writes: > Martin: what do you think would be needed to get mediagoblin pushed > into debian NEW queue so it would make it to stable Jessie? > I'm willing to do extra work helping making this happen if Simon > is short on time. Would you help with DD / sponsoring part > (or whatever is correct procedure)? I should have posted that 0.6.1 is now in new (thanks Asheesh!). https://ftp-master.debian.org/new/mediagoblin_0.6.1+dfsg1-1.html In terms of Jessie, I'm actually not aiming to get it in, and either Asheesh or I will probably file an RC bug to prevent it from migrating to testing. Upstream is not planning on supporting either 0.6.1 or 0.7.1 for the next few years, and I can't commit to providing security support. I do welcome the thoughts of others on this issue though. pgp_zenatI4LN.pgp Description: PGP signature
Bug#657405: mediagoblin: no more missing dependencies
On Sat, Oct 11, 2014 at 01:29:56PM +0200, W. Martin Borgert wrote: > On 2014-10-11 02:52, Matija Nalis wrote: > > Wow, thanks for quick work! > You need to thank the FTP masters! Well, then I thank them too! > > extlib/tinymce/js/tinymce/tinymce.min.js > > I assume, that this could be left out during installation and > you can depend on either: > > python-django-tinymce - replacement text widget for Django web framework > tinymce - platform independent web based Javascript/HTML WYSIWYG editor Yes, it could depend on tinymce. However, Debian packages tinymce 3.4.8, and mediagoblin uses tinymce 4.0.2 which is a problem because: - they use different directory structure / filenames (could be worked around with symlinks) - they use quite different API Also, in upstream mediagoblin 0.7.1 tinyMCE is used only in default (airy) theme in file mediagoblin/themes/airy/templates/mediagoblin/extra_head.html, but due to the (simple) bug does not work... The possible solutions I see: 1) package tinymce4 for debian, make mediagoblin recommend it, and fix simple 0.7.1 bug (wrong CSS selector used). Problem with this solution is that packaging new major tinymce is much work (and we don't have much time for getting mediagoblin in jessie) 2) modify mediagoblin to depend on tinymce 3.4.8 currently in debian (and fix mediagoblin tinyMCE selector bug in the process). Much less work, but tinyMCE3 and 4 look different... 3) modify mediagoblin default airy theme to not use tinyMCE at all (as it doesn't work in stock 0.7.1 anyway), and then revisit problem later when upstream fixes that. It's as simple as deleting both
Bug#657405: mediagoblin: no more missing dependencies
On 2014-10-11 02:52, Matija Nalis wrote: > Wow, thanks for quick work! You need to thank the FTP masters! > extlib/tinymce/js/tinymce/tinymce.min.js I assume, that this could be left out during installation and you can depend on either: python-django-tinymce - replacement text widget for Django web framework tinymce - platform independent web based Javascript/HTML WYSIWYG editor > fonts/Lato-Regular.ttf Maybe this is already packaged? fonts-lato - sans-serif typeface family font -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#657405: mediagoblin: no more missing dependencies
On Fri, Oct 10, 2014 at 10:37:47PM +0200, W. Martin Borgert wrote: > > On 2014-10-08 20:25, Matija Nalis wrote: > > > there is also a need for python-pyld (which doesn't exist at all in > > It's in unstable now, so I assume no dependencies of mediagoblin > 0.7.1 are missing from Debian, rigth? > What else stops mediagoblin from entering the NEW queue? :~) Wow, thanks for quick work! Yes, with that two packages in, not much remains for Simon or you (or someone) to make package ready is really 4 things... 3 very trivial things (meaning I managed to do them without problems): - get last pristine 0.7.1 and 'uupdate -u' version from http://mentors.debian.net/package/mediagoblin to it - remove obsolete 0001-Fix-Babel-version-restriction.-Onward-and-upward.patch - add dependencies on python-unidecode, new python-exif and python-pyld and 1 just-a-little-less-trivial (at least for someone who is not into python installing stuff very much - like myself): making few more files get where they need to be in package. Most importantly, I needed to do: mkdir -p /usr/lib/python2.7/dist-packages/mediagoblin/static/metadata cp mediagoblin/static/metadata/rdfa11.jsonld /usr/lib/python2.7/dist-packages/mediagoblin/static/metadata/rdfa11.jsonld after installation for package to get it to work. It should go there by itself, but there is too much python & dh automagic for me to see how anything goes anywhere (good ol' makefiles were sooo nice :) (note: there seem to be few more files that I found in static which don't go into package but probably should: extlib/tinymce/js/tinymce/tinymce.min.js css/extlib/skeleton.css fonts/Lato-Regular.ttf but they do not seem to be critical, as everything seems to work quite nicely for me even without them being installed - you can see the package 0.7.1 built and installed as described working at http://media.mnalis.com/ as proof of concept) After that, package builds and works nicely (after being setup as described in README.Debian) on jessie. Sure it would be nice if few of those things in README.Debian were (semi)automated, but none of that should block package entering NEW AFAICT, so it would be great if it could there soon (like, in time for upcoming jessie freeze)! Thanks again for taking action on this! -- Opinions above are GNU-copylefted. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#657405: mediagoblin: no more missing dependencies
On 2014-10-09 00:27, W. Martin Borgert wrote: > On 2014-10-08 20:25, Matija Nalis wrote: > > there is also a need for python-pyld (which doesn't exist at all in > > debian yet). > > OK, will try to work on this one. It's in unstable now, so I assume no dependencies of mediagoblin 0.7.1 are missing from Debian, rigth? What else stops mediagoblin from entering the NEW queue? :~) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org