FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 11-01-2011, 02:55 PM
Antonio Terceiro
 
Default Dealing with embedded javascript libraries

Michael Gilbert escreveu isso aí:
> On Wed, Oct 26, 2011 at 6:55 PM, Zygmunt Krynicki wrote:
> > Is there anyone that would like to mentor me for a while to help me get
> > started? I'm quite interested in solving this problem.
>
> You can certainly work on anything in Debian (including this) and
> present your work to mentors [0] and/or the maintainers of the
> package.

Better yet, I think the Javascript packaging team might be a good place
for this:

http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

--
Antonio Terceiro <terceiro@debian.org>
 
Old 11-07-2011, 05:12 PM
Ian Jackson
 
Default Dealing with embedded javascript libraries

Pau Garcia i Quiles writes ("Re: Dealing with embedded javascript libraries"):
> On Thu, Oct 27, 2011 at 1:28 AM, Ian Jackson
> <ijackson@chiark.greenend.org.uk> wrote:
> > The difficulty is that if we end up with ten different versions of
> > some random javascript library, when it turns out to have a security
> > vulnerability we need to somehow backport the patch to each of those
> > ten versions.
> >
> > And here "we" means the security team, not the people who uploaded the
> > ten versions in the first place.
> >
> > So this is rather unpalatable.
>
> What's the alternative?
>
> It seems that we only have two choices:
>
> - Either all packages use the same version of the JavaScript library
...
> - Each package works with the upstream-bundled version of the

We could do this:

* No JS libraries should be bundled into binary packages; instead,
each package should Depend on an appropriate separate JS library
package.

* JS library packages should be versioned in the name, like C runtime
library packages are, so that multiple versions are coinstallable.

* If the number of different versions of a single JS library becomes
"too large", ftp-master and/or the security team will call a halt
and the uploads and/or testing migrations of some of them will be
blocked.

Ian.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20152.8090.30627.248314@chiark.greenend.org.uk">ht tp://lists.debian.org/20152.8090.30627.248314@chiark.greenend.org.uk
 
Old 11-07-2011, 06:03 PM
Bastian Blank
 
Default Dealing with embedded javascript libraries

On Mon, Nov 07, 2011 at 06:12:42PM +0000, Ian Jackson wrote:
> * JS library packages should be versioned in the name, like C runtime
> library packages are, so that multiple versions are coinstallable.

Why not _one_ package per lib and multiple (a sane number of) versions
in it? The security team will hate you anyway.

Bastian

--
The face of war has never changed. Surely it is more logical to heal
than to kill.
-- Surak of Vulcan, "The Savage Curtain", stardate 5906.5


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20111107190344.GA1205@wavehammer.waldi.eu.org">htt p://lists.debian.org/20111107190344.GA1205@wavehammer.waldi.eu.org
 
Old 11-07-2011, 07:16 PM
Vincent Danjean
 
Default Dealing with embedded javascript libraries

Le 07/11/2011 20:03, Bastian Blank a écrit :

On Mon, Nov 07, 2011 at 06:12:42PM +0000, Ian Jackson wrote:

* JS library packages should be versioned in the name, like C runtime
library packages are, so that multiple versions are coinstallable.


Why not _one_ package per lib and multiple (a sane number of) versions
in it? The security team will hate you anyway.


Applications must be able to express their need by a dependency.

With only one package per lib, how an application can request the
availability of a specific version? By using 'Provides: ...-vXXX' in
lib package?

Regards,
Vincent


Bastian




--
Vincent Danjean GPG key ID 0x9D025E87 vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87
Unofficial pkgs: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo: deb http://people.debian.org/~vdanjean/debian unstable main


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4EB83C95.9030202@free.fr">http://lists.debian.org/4EB83C95.9030202@free.fr
 
Old 11-07-2011, 08:24 PM
Bastian Blank
 
Default Dealing with embedded javascript libraries

On Mon, Nov 07, 2011 at 09:16:21PM +0100, Vincent Danjean wrote:
> Le 07/11/2011 20:03, Bastian Blank a écrit :
> >On Mon, Nov 07, 2011 at 06:12:42PM +0000, Ian Jackson wrote:
> >> * JS library packages should be versioned in the name, like C runtime
> >> library packages are, so that multiple versions are coinstallable.
> >
> >Why not _one_ package per lib and multiple (a sane number of) versions
> >in it? The security team will hate you anyway.
> With only one package per lib, how an application can request the
> availability of a specific version? By using 'Provides: ...-vXXX' in
> lib package?

Exactly. The same way then with one package per version.

Bastian

--
We fight only when there is no other choice. We prefer the ways of
peaceful contact.
-- Kirk, "Spectre of the Gun", stardate 4385.3


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20111107212401.GA3939@wavehammer.waldi.eu.org">htt p://lists.debian.org/20111107212401.GA3939@wavehammer.waldi.eu.org
 

Thread Tools




All times are GMT. The time now is 03:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org