[FFe] Please sync mathjax 2.0.3-1 -> 2.0.3-2 from Debian experimental (main)

Bug #1042665 reported by Dmitry Shachnev
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mathjax (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

https://launchpad.net/debian/+source/mathjax/2.0.3-2

mathjax (2.0.3-2) experimental; urgency=low

  * Set priority to optional
  * Repack javascript files during build
    - Build-depend on yui-compressor and perl
    - Add debian/packer directory containing packing scripts
    - Add debian/combiner directory containing scripts used for creating
      "combined" configs

 -- Dmitry Shachnev <email address hidden> Sat, 25 Aug 2012 18:17:59 +0400

Most of MathJax JS code is packed* (so that it has minimal size), which makes it unreadable and hard to analyze. Previously, I just used packed files provided by upstream. Now, I repack them during build to make sure there's nothing harmful there.

* Unpacked code is provided too, in /usr/share/javascript/mathjax/unpacked/.

description: updated
Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Although I agree that it is better to "compile from source", I am not sure of the benefits here after the Feature Freeze. Are there chances of mis-packing the js files and rendering websites un-usable / incompatible?

Also it looks like you are still shipping the packed js files in the tarball, removing those and creating a dfsg tarball would shave 1.5M of the tarball. That is not a requirement from me, just a point for you to consider.

I have attached debdiff between current version in quantal and proposed one (diff between -1 and -2).

Dear release team, is this ok to be a "bug-fix" or do you grant a FFe for this?

If FFe is not required or you grant it, please subscribe ubuntu-sponsors once again.

summary: - Please sync mathjax 2.0.3-2 from Debian experimental (main)
+ [FFe] Please sync mathjax 2.0.3-1 -> 2.0.3-2 from Debian experimental
+ (main)
Revision history for this message
Dmitry Shachnev (mitya57) wrote :

The main argument for repacking those files is making sure that there's nothing mailicious/harmful there. Also, this makes the package more compliant to the Debian policy. Anyway, let the Release Team decide whether it's possible to do this now.

> Are there chances of mis-packing the js files and rendering websites un-usable / incompatible?
If the package builds successfully, all the files should be there.

Revision history for this message
Iain Lane (laney) wrote :

How confident are you that your scripts produce output which is functionally the same as provided by upstream?

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

There's "test" directory in the orig tarball (covering different use cases / configurations), all pages from there work with repacked MathJax.

If something goes wrong, it would be a critical bug in yui-compressor.

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

Well, it seems that after a quick fix to the packer script [1], there's no difference between our packed files and upstream ones.

This means we could stick to the current version without any security risk.

[1]: https://github.com/mitya57/MathJax-dev/commit/d9b0070e47057750ef650205b4c805faab1ad30f

Changed in mathjax (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.