[FFe] Please sync mathjax 2.0.3-1 -> 2.0.3-2 from Debian experimental (main)

Bug #1042665 reported by Dmitry Shachnev
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mathjax (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

https://launchpad.net/debian/+source/mathjax/2.0.3-2

mathjax (2.0.3-2) experimental; urgency=low

  * Set priority to optional
  * Repack javascript files during build
    - Build-depend on yui-compressor and perl
    - Add debian/packer directory containing packing scripts
    - Add debian/combiner directory containing scripts used for creating
      "combined" configs

 -- Dmitry Shachnev <email address hidden> Sat, 25 Aug 2012 18:17:59 +0400

Most of MathJax JS code is packed* (so that it has minimal size), which makes it unreadable and hard to analyze. Previously, I just used packed files provided by upstream. Now, I repack them during build to make sure there's nothing harmful there.

* Unpacked code is provided too, in /usr/share/javascript/mathjax/unpacked/.

description: updated
Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Although I agree that it is better to "compile from source", I am not sure of the benefits here after the Feature Freeze. Are there chances of mis-packing the js files and rendering websites un-usable / incompatible?

Also it looks like you are still shipping the packed js files in the tarball, removing those and creating a dfsg tarball would shave 1.5M of the tarball. That is not a requirement from me, just a point for you to consider.

I have attached debdiff between current version in quantal and proposed one (diff between -1 and -2).

Dear release team, is this ok to be a "bug-fix" or do you grant a FFe for this?

If FFe is not required or you grant it, please subscribe ubuntu-sponsors once again.

summary: - Please sync mathjax 2.0.3-2 from Debian experimental (main)
+ [FFe] Please sync mathjax 2.0.3-1 -> 2.0.3-2 from Debian experimental
+ (main)
Revision history for this message
Dmitry Shachnev (mitya57) wrote :

The main argument for repacking those files is making sure that there's nothing mailicious/harmful there. Also, this makes the package more compliant to the Debian policy. Anyway, let the Release Team decide whether it's possible to do this now.

> Are there chances of mis-packing the js files and rendering websites un-usable / incompatible?
If the package builds successfully, all the files should be there.

Revision history for this message
Iain Lane (laney) wrote :

How confident are you that your scripts produce output which is functionally the same as provided by upstream?

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

There's "test" directory in the orig tarball (covering different use cases / configurations), all pages from there work with repacked MathJax.

If something goes wrong, it would be a critical bug in yui-compressor.

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

Well, it seems that after a quick fix to the packer script [1], there's no difference between our packed files and upstream ones.

This means we could stick to the current version without any security risk.

[1]: https://github.com/mitya57/MathJax-dev/commit/d9b0070e47057750ef650205b4c805faab1ad30f

Changed in mathjax (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments