Re: deduplicating jquery/

To: debian-devel@lists.debian.org
Subject: Re: deduplicating jquery/
From: Russ Allbery <rra@debian.org>
Date: Mon, 30 Nov 2020 14:51:18 -0800
Message-id: <[🔎] 877dq2a26x.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20201130212943.GY8931@mail.wookware.org> (wookey@wookware.org's message of "Mon, 30 Nov 2020 21:29:43 +0000")
References: <[🔎] 20201130212943.GY8931@mail.wookware.org>

Wookey <wookey@wookware.org> writes:

> Having read #903428 I see there is no enthusiasm for fixing this in the
> tooling. And also that I am not the only person coming across this and
> wondering what to do about it. I've had this experience before with both
> doxygen and javadoc and have spent some years assuming that someone will
> sort this out eventually.

This is essentially another iteration of the vendoring debate.  Normal
development practice in the JavaScript world is to aggressively vendor and
pin, and only occasionally update the pinned version.  (Well, arguably,
normal development practice for web pages in the JavaScript world is to
just load libraries like jQuery from a CDN because the browser will
normally already have that cached, but that's yet another debate that I
don't feel like getting into.)

The root problem, at least as I understand it, is that the two relevant
upstreams (and probably lots more) have followed those practices to vendor
and pin versions of jQuery, and are not regularly updating those pins, so
the current version in Debian may or may not work.

It's an inherent mismatch with our packaging practices, made somewhat
worse in at least some JavaScript cases (I don't remember if either of
these upstreams have this problem, but I know some jQuery users do) of
vendoring the minimized version, which isn't source.

If we want to unvendor jQuery without breaking functionality, I think we'd
need to either (a) help usptream do the work of constantly moving their
pin to the latest version and fix any resulting problems (which we and
upstream may not have resources to do and which upstream may not want to
commit to doing, and which upstream is generally unenthusiastic about), or
(b) package every version of jQuery that soemthing might be using, so that
we can always link to a compatible version.  The latter has interesting
security implications, plus either it bloats a single package or it
requires a possibly large number of packages of numerous jQuery versions.

All of this is work that doesn't do a lot for our users.  Do we want to do
this work?  Is it a high enough priority to warrant the effort?

The minimum amount of work we have to do per the Social Contract is to
provide the source of minimized versions, so it's probably not possible to
avoid doing some amount of tedious effort here.

> Given that the maintainers of both javadoc and doxygen have declared
> this "wontfix" should we not at least stop lintian complaining about it?

Personally, I would think so, since it makes the Lintian tag effectively
unactionable.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: deduplicating jquery/
  - From: Wookey <wookey@wookware.org>

Prev by Date: Bug#976174: ITP:papershaper--automagic wallpaper swapper
Next by Date: Re: deduplicating jquery/
Previous by thread: Re: deduplicating jquery/
Next by thread: Re: deduplicating jquery/
Index(es):
- Date
- Thread