Ubuntu
glewlwyd package

[MIR] glewlwyd as dependency of mailman3

Bug #1820195 reported by Christian Ehrhardt 
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glewlwyd (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

[Availability]
The package is in Ubuntu Universe and builds for amd64, arm64, armhf, i386, ppc64el, s390x:
http://launchpad.net/ubuntu/+source/glewlwyd

Just fonts-glewlwyd is needed in main.

[Rationale]
This is part of the MIR activity for all dependencies of mailman3
The "main" MIR of it is at bug 1775427:

Mailman (2) has only python2 support, but we strive for python3,
therefore Mailman3 which has python3 support should be promoted to main.

[Security]
There are no CVEs for glewlwyd:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=glewlwyd
The Ubuntu CVE tracker at http://people.ubuntu.com/~ubuntu-security/cve/universe.html
is also empty.

[Quality assurance]

As part of the mailman3 stacks as of now (Disco) this installs fine and works fine.
On itself it is useful to (many) other dependencies and does not need a post install configuration on its own.

- no debconf questions
- upstream has 3 open issues, and 28 closed ones:
  https://github.com/babelouest/glewlwyd/issues
- last one was filed over a year ago, in 2018
- last commit was in December 2018
- there is one Ubuntu bug, filed via apport:
  https://bugs.launchpad.net/ubuntu/+source/glewlwyd/+bug/1807768
- there is one bug in debian, requesting a translation:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906944

Debian tracker: https://tracker.debian.org/pkg/glewlwyd
- 3 lintian warnings, all about embedded js library
  (https://<email address hidden>#glewlwyd).
  These do not affect the binary package this MIR is about.
- debian seems to be keeping up-to-date with upstream releases

Tests
- no DEP8 tests
- test suite is NOT run at package build time. d/changelog has no mention of
  "test". the README.md
  (https://github.com/babelouest/glewlwyd/blob/master/test/README.md) says that
  some preparation is necessary, like installing a "check" package, and running
  a test server on localhost.

debian/watch
- available and working

lintian
- -I --pedantic output:
ubuntu@disco:~/deb/glewlwyd/glewlwyd-1.4.9$ lintian -I --pedantic
E: glewlwyd changes: bad-distribution-in-changes-file unstable
P: glewlwyd source: source-contains-browserified-javascript debian/missing-sources/react-bootstrap.js code fragment:(function webpackuniversalmoduledefinition(root, factory) { if(typeof exports === 'obje
P: glewlwyd source: source-contains-browserified-javascript webapp/js/react-bootstrap.js code fragment:(function webpackuniversalmoduledefinition(root, factory) { if(typeof exports === 'obje
I: glewlwyd source: testsuite-autopkgtest-missing
I: glewlwyd source: unused-override source-is-missing
I: fonts-glewlwyd: font-outside-font-dir usr/share/glewlwyd/webapp/fonts/fontawesome-webfont.woff
I: fonts-glewlwyd: font-outside-font-dir usr/share/glewlwyd/webapp/fonts/fontawesome-webfont.woff2
I: fonts-glewlwyd: font-outside-font-dir usr/share/glewlwyd/webapp/fonts/glyphicons-halflings-regular.eot
I: fonts-glewlwyd: font-outside-font-dir ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: glewlwyd-common: embedded-javascript-library usr/share/glewlwyd/webapp/js/bootstrap.js please use libjs-twitter-bootstrap
W: glewlwyd-common: embedded-javascript-library usr/share/glewlwyd/webapp/js/jquery-3.1.1.js please use libjs-jquery
W: glewlwyd-common: embedded-javascript-library usr/share/glewlwyd/webapp/js/jquery-3.1.1.min.js please use libjs-jquery
N: 0 tags overridden; 1 unused override

Keeping in mind that only fonts-gleqlwyd is of concern for this MIR,
fonts-outside-font-dir are the only issues.

Reliance on obsolete or about to be demoted packages
- the package build-depends on dh-exec, which is looking for a new maintainer
  in Debian (https://bugs.debian.org/851746)
- there are no py2 or gtk2 dependencies

[UI standards]
The package has PO templates and translations, although they are probably of no
concern for the binary package this MIR is interested in (fonts-glewlwyd).

[Dependencies]
Some dependencies are not in main, but we drive MIR for all related packages
that are not in main at the same time.
Please check the list of bugs from the main Mailman3 MIR in bug 1775427 to get an overview.

[Standards compliance]
The odd lintian violation seems to be the directory where fonts are installed:
I: fonts-glewlwyd: font-outside-font-dir usr/share/glewlwyd/webapp/fonts/fontawesome-webfont.woff
N:
N: This package contains a TrueType, OpenType, or Type 1 fonts, but the
N: package does not install this file under /usr/share/fonts/.
N:
N: Refer to https://wiki.debian.org/Fonts/PackagingPolicy for details.
N:
N: Severity: wishlist, Certainty: possible

I did an apt-file search for .woff2 and .woff, and the results show that many
packages install these fonts in /usr/share/<pkg> directories.
Nothing else jumps out.

[Maintenance]
The Server team will subscribe for the package for maintenance, but in
general it seems low on updates and currently is a sync from Debian.

[Background]
None at this time.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

MIR acceptance (and review) is done on source level.
And approving (another?) "OAuth2 authentication server" in MAIN just for some fonts feels wrong.

I have seen that this seems to be used in the context of TWBS [1] and maybe that is the reason it is a dependency of mailman which uses TWBS.

It seems this font is embedded in e.g. hyperkitty (and other mailman3 packages [2][3]) but then packaging decided not to use the embedded font [4] (good) and instead rely on the one packaged (which added the package dependency).

But there must be another way - the font is "just" a normal font [5] (despite the name there are no welsh halfling symbols in there).

I think to make this MIR-acceptable one of the following has to be done:
a) strip the dependencies from mailman3 packages by using a different font
b) engage with Debian and break the font into a different package, there seems no reason that this has to be bundled with an Oauth server.

I'll need some MIR team members to check if there is this option:
c) Do partially approve a source package

[1]: https://github.com/twbs/bootstrap-sass/blob/master/assets/fonts/bootstrap/glyphicons-halflings-regular.ttf
[2]: https://gitlab.com/mailman/mailman-website/tree/master/content/fonts
[3]: https://gitlab.com/mailman/mailman-website/commit/a97d6b4c5b29594004e3855f1ab1222449d0c211
[4]: https://salsa.debian.org/mailman-team/hyperkitty/commit/2f020f3025178d343f20324d6a41f1e918c5f854
[5]: https://www.wfonts.com/font/glyphicons-halflings

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Sounds like what you want is b). If all we need is the font, then also why is a font bundled with an OAUTH server?

For all intents and purposes, it should be more or less easy to split out.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks Mathieu for the confirmation - Assigned to Server Team to resolve the packaging change in Debian

Changed in glewlwyd (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

After evaluating dependencies, required further changes and mostly maintainability for security and packaging it was decided there are too many concerns - not about any single package in particular, but the overall Mailman3 stack - about the ability to maintain and monitor it as well as we need it for support in main.

We have closed the primary LP bug already, the MIRs that are already approved will stay that way, but we will make no seed change to pull things in for now. Yet if other needs come up for those they have a prepared MIR already.
Other bugs which are not yet completed in terms of review will be closed as Won't Fix.
Others are special cases like this one - here we had a task to resolve the font being grouped which we will now abort.

Even thou it ended being aborted, I think that is a valid outcome of the MIR evaluations. Never the less I want to thank everybody involved for all the work spent in what was nearly a year working through these MIRs.

Changed in glewlwyd (Ubuntu):
assignee: Christian Ehrhardt  (paelzer) → nobody
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.