W. Martin Borgert wrote: > For distributions such as Debian or Ubuntu it is very important > not to duplicate software in the archive, mainly, but not only, > for security reasons. Therefore, JQuery is packaged as a Debian > package that is used by Trac, but also by other web applications. > If e.g. a security bug is found in JQuery, we need only to update > the JQuery package with a fixed version and do not need to care > about Trac and e.g. half a dozen other packages.
While I understand (and agree with) the general idea, I wonder if that situation really applies to jQuery (core, not jQuery UI, see below): - Maybe I'm a bit naive, but what security issues could be in a JavaScript library? Security is provided by the browser, not the libraries, isn't it? - Trac expects to find jquery.js in trac/htdocs/js. So in the Debian packaging, you replace the file provided with Trac with a symlink to the separately-packaged jquery.js? - Do you keep several versions of jQuery installed at the same time on a system, and for every package you link to the required version? Packaging jQuery with Trac (besides simplifying dependencies) ensures that we can make changes to the Trac code required by a jQuery update in sync with the update. > If Trac would use an embedded copy of JQuery, why not also > include Genshi, Pygments, PySQLite/PsycoPG etc.? I hope, you > don't do that :~) Certainly not. There's (at least) one difference with jQuery: it doesn't have a "standard" packaging, and therefore no standard location in the filesystem where we could easily find it. And even if it did, it's a single file, so I guess it seemed simpler to just include it. I also notice that Gentoo doesn't have a jQuery package (just a data point, certainly not an authoritative argument). This would probably be different for jQuery UI, though. I assume it includes images for the UI controls, so the "single file" argument drops. Does Debian package jQuery UI? How does it link it into the packages that need it? -- Remy
signature.asc
Description: OpenPGP digital signature
