[Secure-testing-team] Bug#721567: photofloat: should use separately packaged libjs-* packages (not include convenience code copies)
Jonas Smedegaard
dr at jones.dk
Sun Sep 1 23:05:52 UTC 2013
Package: photofloat
Severity: normal
Tags: security
It seems photofloat does some attempt at reusing JavaScript packages,
by use of symlinks, but lack declaring dependency on them, and still
ship with minified files, and a file scripts.min.js bundling seemingly
bundling all JavaScript files - assumingly from included convenience
code copy, not from the separately maintained library packages.
The package should solely use Javascript library packages for reusable
Javascript code - including getting the jQuery modules packaged which do
not currently exist: If not interested in maintaining those packages
yourself try ask the JavaScript Team to take care of that.
For the bundling file I think best would be for the package to generate
that file using a dpkg trigger, so that it gets regenerated whenever one
of its dependent library packages are updated.
The bundle file is most optimally minimized if done in one go, instead
of concatenating individually minimized parts. The most efficient and
also most reliable minimizer is uglifyjs.
Seems only the minified bundle file is the only JavaScript file needed
at the location for use at runtime - other files and symlinks to files
might be better located at a different location, if setting up above
suggested auto-bundling.
- Jonas
More information about the Secure-testing-team
mailing list