Ubuntu
node-mj-context-menu package

MIR: node-mathjax-full, node-mj-context-menu

Bug #2101889 reported by Simon Quigley
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
node-mathjax-full (Ubuntu)
Invalid
Medium
Unassigned
node-mj-context-menu (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

[Availability]
- The package node-mathjax-full is already in Ubuntu universe.
- The package node-mathjax-full builds only architecture-independent packages and successfully builds on amd64.
- Link to package: https://launchpad.net/ubuntu/+source/node-mathjax-full

[Rationale]
- The package node-mathjax-full is required in Ubuntu main for sphinx.
- It is the new version of src:mathjax (from the same upstream), which is already in main (MIR bug 1878937). The source and binary package names are different, because upstream rewrote this project in TypeScript and changed API in an incompatible way.

[Security]
- Had 2 security issues in the past (one of them disputed): https://ubuntu.com/security/cves?package=mathjax
- However, both issues apply to 2.x branch, which is src:mathjax and already in main.
- No security issues for the 3.x branch.

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Package does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Package does not contain extensions to security-sensitive software

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs
- Ubuntu: https://bugs.launchpad.net/ubuntu/+source/node-mathjax-full
- Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=node-mathjax-full
- Upstream's bug tracker: https://github.com/mathjax/MathJax/issues

[Quality assurance - testing]
- The package does not run tests at build time because upstream does not provide a test suite, and testing is non-trivial because this library only works in a browser.
- The package can be tested manually e.g. by installing sphinx-doc, opening file:///usr/share/doc/sphinx-doc/html/usage/restructuredtext/roles.html#math in a browser and making sure that the Pythagoras theorem is displayed correctly.

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to debian/rules: https://salsa.debian.org/js-team/node-mathjax-full/-/blob/master/debian/rules

[UI standards]
- Application is end-user facing
- Translation is possible via https://github.com/mathjax/MathJax-i18n but not packaged

[Dependencies]
- There is one further dependency that is not yet in main: node-mj-context-menu. It is a small library, developed as part of mathjax project. The MIR process for it is handled as part of this bug here.

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The package is maintained in Debian by the Debian JavaScript team. There is no Ubuntu delta.
- I (Dmitry Shachnev) am subscribed to bugs in Ubuntu.
- The package has a vendored copy of mhchemparser, it can be updated using standard tooling (debian/watch).
- The package has been built within the last 3 months in the archive.

[Background information]
- The Package description explains the package well.
- Upstream Name is MathJax.
- Link to upstream project: https://github.com/mathjax/MathJax

This upload is stuck in the proposed pocket:

sphinx (8.1.3-5) unstable; urgency=medium

  * Switch from MathJax 2 to MathJax 3.
  * Sort Build-Depends with wrap-and-sort from devscripts ≥ 2.24.8.

 -- Dmitry Shachnev <email address hidden> Fri, 31 Jan 2025 13:28:15 +0300

All of the autopkgtests on the excuses page (and there are a handful) pass. It's just blocked on this:

sphinx (8.1.3-4 to 8.1.3-5)

    Migration status for sphinx (8.1.3-4 to 8.1.3-5): BLOCKED: Rejected/violates migration policy/introduces a regression
    Issues preventing migration:
    sphinx-doc/amd64 in main cannot depend on node-mathjax-full in universe
    Impossible Depends: sphinx -> node-mathjax-full/3.2.2+~cs4.2.1-4/amd64

Could the team responsible for sphinx please clarify whether node-mathjax-full will receive a promotion, this upload will get reverted + we carry a delta, or whether sphinx-doc should be demoted?

Thanks in advance.

See original description
Revision history for this message
Dmitry Shachnev (mitya57) wrote :

I think we need a MIR for node-mathjax-full.

It is just a newer version of src:mathjax from the same upstream, and mathjax was in main.

Dmitry Shachnev (mitya57)
description: updated
affects: sphinx (Ubuntu) → node-mathjax-full (Ubuntu)
Dmitry Shachnev (mitya57)
summary: - sphinx-doc/amd64 in main cannot depend on node-mathjax-full in universe
+ MIR: node-mathjax-full, node-mj-context-menu
description: updated
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Simon, Dmitry,

A few years ago we decided that packages that were in main solely to satisfy build-dependencies on packages didn't need to go through the MIR process, with the documentation being the primary driver of this decision.

I'm wondering if these packages even need the MIR process? Are they included here only because sphinx needs them? Or do we instead need to exclude them from the process? (I think that's in https://git.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/ubuntu/tree/supported#n110 but I'm not positive.)

JFYI, we moved to a single bug per package -- Canonical is now using jira internally to track work and jira lacks a lot of the features of launchpad. The long and short of it is that it's just easier to only put a single package per bug.

Thanks

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

Hi Seth, Simon!

Not only src:sphinx build-depends on node-mathjax-full, but also sphinx-doc binary package has runtime dependency on node-mathjax-full.

However, I can try to demote that dependency to Recommends. sphinx-doc includes mathjax only in 6 HTML files and actually uses only in 3:

$ rgrep -l 'class="math' /usr/share/doc/sphinx-doc/html
/usr/share/doc/sphinx-doc/html/usage/restructuredtext/roles.html
/usr/share/doc/sphinx-doc/html/usage/configuration.html
/usr/share/doc/sphinx-doc/html/latex.html

When node-mathjax-full is not installed, browser will display a warning that loading tex-mml-chtml.js failed, but the rest of the page should render fine.

Do you think that demoting dependency to Recommends is the right solution here? Will that be sufficient to make sphinx migrate to -release (or it’s not enough and I need to further demote to Suggests)?

Revision history for this message
Seth Arnold (seth-arnold) wrote :

> but also sphinx-doc binary package has runtime dependency on node-mathjax-full.

Ahhh, this may change it a bit. sphinx-doc is in main. (Does it need to be? Is it better for it to be in main regardless if we need it to be in main?)

Thanks

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

> sphinx-doc is in main. (Does it need to be? Is it better for it to be in main regardless if we need it to be in main?)

I don’t think it needs to be in main. And it seems to have no reverse-dependencies in main, if I am using the correct command:

$ reverse-depends -c main -r plucky sphinx-doc
$

If it’s possible to demote it to universe, please do that.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

I'm in agreement; it seems much better to demote sphinx-doc in this case.

Thank you both!

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

Sphinx has migrated, so this MIR is not needed anymore.

Changed in node-mathjax-full (Ubuntu):
status: Confirmed → Invalid
Changed in node-mj-context-menu (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.