Bug#1042532: mediawiki: Vendoring a few javascript library without source
severity 1042532 normal tags 1042532 wontfix thanks Hi, On 7/31/23 07:23, roucaries bastien wrote: hi, Le lun. 31 juil. 2023 à 08:27, Kunal Mehta a écrit : These are in the preferred form for modification so I don't think there's any issue here, but please correct me if I'm wrong. MediaWiki often patches these libraries (e.g. jquery.ui) in this format hence IMO meeting the "preferred form of the work for making modifications to it" requirement of the GPL. No https://sources.debian.org/src/mediawiki/1%3A1.39.4-2/resources/lib/pako/ is webpacked in order to be transformed in es5 No source available before webpack IANAL, but as I understand it, there are two licenses to consider here: pako's MIT license (aka Expat) and MediaWiki's GPL v2 or later license. The pako_deflate.es5.js file contains the MIT license information/attribution, so we're in compliance for that. MediaWiki's GPL v2 requires source code to be in "preferred form of the work for making modifications to it". In the context of MediaWiki, this is in the preferred form, since that's how we plan to (and do) modify it. If you want to patch MediaWiki, having the pre-transpiled sources is going to be way more work than the source we're providing right now. And the proof is that (AFAIK) MediaWiki devs will just patch these sources directly, they don't go to the upstream sources, adjust those, and then generate a patch. So I don't see a DFSG issue. And do not stick to lastest jquery is a security problem. Are you sure you have closed all the CVE ? The ones that affect MediaWiki, I believe so. Upstream MediaWiki has at least one or two jQuery team members as core developers who follow that not to mention the Wikimedia Foundation's security team. with my javascript hat, I believe that working with upstream to improve the testing (using if needed selenium) will improve the security of mediawiki by using packaged and up to date js There is already upstream selenium-based testing, but using the latest version of everything isn't always a feature. In all the case it decrease the burden from a security point of view No, it really doesn't, it just shifts it elsewhere. The more deviations Debian makes, the less we can rely on upstream's QA processes for ensuring we're shipping working software, which will more likely slow down security updates. Since bundling is permitted by policy, we plan to continue doing it. -- Kunal
Processed: Re: Bug#1042532: mediawiki: Vendoring a few javascript library without source
Processing commands for cont...@bugs.debian.org: > severity 1042532 normal Bug #1042532 [src:mediawiki] mediawiki: Vendoring a few javascript library without source Severity set to 'normal' from 'serious' > tags 1042532 wontfix Bug #1042532 [src:mediawiki] mediawiki: Vendoring a few javascript library without source Added tag(s) wontfix. > thanks Stopping processing here. Please contact me if you need assistance. -- 1042532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042532 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1042532: mediawiki: Vendoring a few javascript library without source
hi, Le lun. 31 juil. 2023 à 08:27, Kunal Mehta a écrit : > > Hi, > > On 7/29/23 16:44, Bastien Roucariès wrote: > > Dear Maintainer, > > > > resources/lib/ > > (https://sources.debian.org/src/mediawiki/1:1.39.4-2/resources/lib/) > > > > include a few library already packaged for debian. > > > > Moreover some source are missing (I have only checked pako). > > These are in the preferred form for modification so I don't think > there's any issue here, but please correct me if I'm wrong. MediaWiki > often patches these libraries (e.g. jquery.ui) in this format hence IMO > meeting the "preferred form of the work for making modifications to it" > requirement of the GPL. No https://sources.debian.org/src/mediawiki/1%3A1.39.4-2/resources/lib/pako/ is webpacked in order to be transformed in es5 No source available before webpack > > > You could use the packaged library under debian > > Older versions of the package did that, but the version mismatches were > not worth it. Plus MediaWiki has a ton of user-written code that's > stored and loaded on-wiki, so deviations from the official version are > incredibly hard to test and just cause breakage everywhere. Pako is stable, I understand for jquery but sinon,,promise stuff and so on could be packaged. Moreover in all the case you should document the embed code in security tracker. And do not stick to lastest jquery is a security problem. Are you sure you have closed all the CVE ? with my javascript hat, I believe that working with upstream to improve the testing (using if needed selenium) will improve the security of mediawiki by using packaged and up to date js This bug should be solved package by package: - first by doing an analysis of stable/not stable api => stable api use packaged - for non stable and patched version => guarantee that source is here - for non stable and patched version try to create test case with upstream using selenium checking integration - move to packaged In all the case it decrease the burden from a security point of view bastien > > -- Kunal
Bug#1042532: mediawiki: Vendoring a few javascript library without source
Hi, On 7/29/23 16:44, Bastien Roucariès wrote: Dear Maintainer, resources/lib/ (https://sources.debian.org/src/mediawiki/1:1.39.4-2/resources/lib/) include a few library already packaged for debian. Moreover some source are missing (I have only checked pako). These are in the preferred form for modification so I don't think there's any issue here, but please correct me if I'm wrong. MediaWiki often patches these libraries (e.g. jquery.ui) in this format hence IMO meeting the "preferred form of the work for making modifications to it" requirement of the GPL. You could use the packaged library under debian Older versions of the package did that, but the version mismatches were not worth it. Plus MediaWiki has a ton of user-written code that's stored and loaded on-wiki, so deviations from the official version are incredibly hard to test and just cause breakage everywhere. -- Kunal
Bug#1042532: mediawiki: Vendoring a few javascript library without source
Source: mediawiki Version: 1:1.39.4-2 Severity: serious Justification: missing source Dear Maintainer, resources/lib/ (https://sources.debian.org/src/mediawiki/1:1.39.4-2/resources/lib/) include a few library already packaged for debian. Moreover some source are missing (I have only checked pako). You could use the packaged library under debian Bastien signature.asc Description: This is a digitally signed message part.
