Acknowledgement sent
to Xavier Guimard <yadd@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Tue, 20 Oct 2020 13:45:03 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: node-lightgallery is built using minified files
Date: Tue, 20 Oct 2020 15:41:00 +0200
Package: node-lightgallery
Version: 1.6.11+dfsg-1
Severity: serious
Justification: 4
Hi,
debian/source/lintian-overrides overwrites some real problems: the
"concat" part of Gulpfile uses modules/* files which are all obfuscated
using minification (downloaded from distinct sources).
A possible solution could be to ignore modules/* files during import and
add related components using uscan components (with a build).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>: Bug#972570; Package node-lightgallery.
(Sat, 13 Feb 2021 06:42:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Yadd <yadd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sat, 13 Feb 2021 06:42:02 GMT) (full text, mbox, link).
Hi,
node-lightgallery won't be part of Bullseye. I propose to remove it from
Debian. Its place is perhaps in non-free section but not here under JS
Team umbrella in main section.
Cheers,
Xavier
Acknowledgement sent
to Daniel Ring <dring@wolfishly.me>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Fri, 23 Apr 2021 07:57:02 GMT) (full text, mbox, link).
To: Xavier Guimard <yadd@debian.org>, 972570@bugs.debian.org
Subject: Re: node-lightgallery is built using minified files
Date: Fri, 23 Apr 2021 00:44:41 -0700
Hello Xavier,
It looks like the build process was minifying the source files to the
destination *.js files and copying the pre-minified files to *.min.js. I
corrected it to copy the unminified files directly and minify them to
*.min.js.
I also updated the package on Salsa to exclude the minified
modules/*.min.js files via Files-Excluded in d/copyright, so they're no
longer in the source package at all.
Sincerely,
Daniel Ring
On 10/20/2020 6:41 AM, Xavier Guimard wrote:
> Package: node-lightgallery
> Version: 1.6.11+dfsg-1
> Severity: serious
> Justification: 4
>
> Hi,
>
> debian/source/lintian-overrides overwrites some real problems: the
> "concat" part of Gulpfile uses modules/* files which are all obfuscated
> using minification (downloaded from distinct sources).
> A possible solution could be to ignore modules/* files during import and
> add related components using uscan components (with a build).
>
>
Acknowledgement sent
to Yadd <yadd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Fri, 23 Apr 2021 15:51:02 GMT) (full text, mbox, link).
To: Daniel Ring <dring@wolfishly.me>, 972570@bugs.debian.org
Subject: Re: node-lightgallery is built using minified files
Date: Fri, 23 Apr 2021 17:47:23 +0200
Control: tags -1 + pending
Le 23/04/2021 à 09:44, Daniel Ring a écrit :
> Hello Xavier,
>
> It looks like the build process was minifying the source files to the
> destination *.js files and copying the pre-minified files to *.min.js. I
> corrected it to copy the unminified files directly and minify them to
> *.min.js.
>
> I also updated the package on Salsa to exclude the minified
> modules/*.min.js files via Files-Excluded in d/copyright, so they're no
> longer in the source package at all.
>
> Sincerely,
> Daniel Ring
Hi,
looks good to me, thanks! Could you also ignore these warnings in a
debain/lintian-overrides? It looks like false positive
Cheers,
Yadd
W: node-lightgallery: privacy-breach-generic
usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
class="lg-video-object lg-dailymotion '+o+'" '+l+' width="560"
height="315"
src="//www.dailymotion.com/embed/video/'+t.dailymotion[1]+d+'"
frameborder="0" allowfullscreen>]
(//www.dailymotion.com/embed/video/'+t.dailymotion[1]+d+')
W: node-lightgallery: privacy-breach-generic
usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
class="lg-video-object lg-vimeo '+o+'" '+l+' width="560" height="315"
src="//player.vimeo.com/video/'+t.vimeo[1]+d+'" frameborder="0"
webkitallowfullscreen mozallowfullscreen allowfullscreen>]
(//player.vimeo.com/video/'+t.vimeo[1]+d+')
W: node-lightgallery: privacy-breach-generic
usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
class="lg-video-object lg-vk '+o+'" '+l+' width="560" height="315"
src="//vk.com/video_ext.php?'+t.vk[1]+d+'" frameborder="0"
allowfullscreen>] (//vk.com/video_ext.php?'+t.vk[1]+d+')
W: node-lightgallery: privacy-breach-generic
usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
class="lg-video-object lg-youtube '+o+'" '+l+' width="560" height="315"
src="//www.youtube.com/embed/'+t.youtube[1]+d+'" frameborder="0"
allowfullscreen>] (//www.youtube.com/embed/'+t.youtube[1]+d+')
Added tag(s) pending.
Request was from Yadd <yadd@debian.org>
to 972570-submit@bugs.debian.org.
(Fri, 23 Apr 2021 15:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonas Smedegaard <jonas@jones.dk>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Fri, 23 Apr 2021 17:06:04 GMT) (full text, mbox, link).
Quoting Yadd (2021-04-23 17:47:23)
> Control: tags -1 + pending
>
> Le 23/04/2021 à 09:44, Daniel Ring a écrit :
> > Hello Xavier,
> >
> > It looks like the build process was minifying the source files to the
> > destination *.js files and copying the pre-minified files to *.min.js. I
> > corrected it to copy the unminified files directly and minify them to
> > *.min.js.
> >
> > I also updated the package on Salsa to exclude the minified
> > modules/*.min.js files via Files-Excluded in d/copyright, so they're no
> > longer in the source package at all.
> >
> > Sincerely,
> > Daniel Ring
>
> Hi,
>
> looks good to me, thanks! Could you also ignore these warnings in a
> debain/lintian-overrides? It looks like false positive
>
> Cheers,
> Yadd
>
> W: node-lightgallery: privacy-breach-generic
> usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
> class="lg-video-object lg-dailymotion '+o+'" '+l+' width="560"
> height="315"
> src="//www.dailymotion.com/embed/video/'+t.dailymotion[1]+d+'"
> frameborder="0" allowfullscreen>]
> (//www.dailymotion.com/embed/video/'+t.dailymotion[1]+d+')
> W: node-lightgallery: privacy-breach-generic
> usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
> class="lg-video-object lg-vimeo '+o+'" '+l+' width="560" height="315"
> src="//player.vimeo.com/video/'+t.vimeo[1]+d+'" frameborder="0"
> webkitallowfullscreen mozallowfullscreen allowfullscreen>]
> (//player.vimeo.com/video/'+t.vimeo[1]+d+')
> W: node-lightgallery: privacy-breach-generic
> usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
> class="lg-video-object lg-vk '+o+'" '+l+' width="560" height="315"
> src="//vk.com/video_ext.php?'+t.vk[1]+d+'" frameborder="0"
> allowfullscreen>] (//vk.com/video_ext.php?'+t.vk[1]+d+')
> W: node-lightgallery: privacy-breach-generic
> usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
> class="lg-video-object lg-youtube '+o+'" '+l+' width="560" height="315"
> src="//www.youtube.com/embed/'+t.youtube[1]+d+'" frameborder="0"
> allowfullscreen>] (//www.youtube.com/embed/'+t.youtube[1]+d+')
Those warnings look real to me.
What makes you consider them false positives, Xavier?
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
Acknowledgement sent
to Yadd <yadd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Fri, 23 Apr 2021 19:33:03 GMT) (full text, mbox, link).
To: Jonas Smedegaard <jonas@jones.dk>, 972570@bugs.debian.org,
Daniel Ring <dring@wolfishly.me>
Subject: Re: [Pkg-javascript-devel] Bug#972570: node-lightgallery is built
using minified files
Date: Fri, 23 Apr 2021 21:31:43 +0200
Le 23/04/2021 à 19:03, Jonas Smedegaard a écrit :
> Quoting Yadd (2021-04-23 17:47:23)
>> Control: tags -1 + pending
>>
>> Le 23/04/2021 à 09:44, Daniel Ring a écrit :
>>> Hello Xavier,
>>>
>>> It looks like the build process was minifying the source files to the
>>> destination *.js files and copying the pre-minified files to *.min.js. I
>>> corrected it to copy the unminified files directly and minify them to
>>> *.min.js.
>>>
>>> I also updated the package on Salsa to exclude the minified
>>> modules/*.min.js files via Files-Excluded in d/copyright, so they're no
>>> longer in the source package at all.
>>>
>>> Sincerely,
>>> Daniel Ring
>>
>> Hi,
>>
>> looks good to me, thanks! Could you also ignore these warnings in a
>> debain/lintian-overrides? It looks like false positive
>>
>> Cheers,
>> Yadd
>>
>> W: node-lightgallery: privacy-breach-generic
>> usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
>> class="lg-video-object lg-dailymotion '+o+'" '+l+' width="560"
>> height="315"
> [...]
> Those warnings look real to me.
>
> What makes you consider them false positives, Xavier?
Hi Jonas,
yes but the relevant lines are in if/then/else blocks:
if (isVideo.youtube) {
... video = '<iframe ... src="//www.youtube.com/embed/' + .../>
so it looks like a admin choice, Daniel maybe I'm wrong here ?
Acknowledgement sent
to Daniel Ring <dring@wolfishly.me>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sat, 24 Apr 2021 04:39:02 GMT) (full text, mbox, link).
To: Yadd <yadd@debian.org>, Jonas Smedegaard <jonas@jones.dk>,
972570@bugs.debian.org
Subject: Re: [Pkg-javascript-devel] Bug#972570: node-lightgallery is built
using minified files
Date: Fri, 23 Apr 2021 21:35:34 -0700
The warnings are already overridden in the current version on Salsa,
since the Youtube/Vimeo/etc. embeds are only loaded when Lightgallery is
used to display a video from that source (e.g. by passing it a Youtube
link).
Sincerely,
Daniel Ring
On 4/23/2021 12:31 PM, Yadd wrote:
> Le 23/04/2021 à 19:03, Jonas Smedegaard a écrit :
>> Quoting Yadd (2021-04-23 17:47:23)
>>> Control: tags -1 + pending
>>>
>>> Le 23/04/2021 à 09:44, Daniel Ring a écrit :
>>>> Hello Xavier,
>>>>
>>>> It looks like the build process was minifying the source files to the
>>>> destination *.js files and copying the pre-minified files to *.min.js. I
>>>> corrected it to copy the unminified files directly and minify them to
>>>> *.min.js.
>>>>
>>>> I also updated the package on Salsa to exclude the minified
>>>> modules/*.min.js files via Files-Excluded in d/copyright, so they're no
>>>> longer in the source package at all.
>>>>
>>>> Sincerely,
>>>> Daniel Ring
>>>
>>> Hi,
>>>
>>> looks good to me, thanks! Could you also ignore these warnings in a
>>> debain/lintian-overrides? It looks like false positive
>>>
>>> Cheers,
>>> Yadd
>>>
>>> W: node-lightgallery: privacy-breach-generic
>>> usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
>>> class="lg-video-object lg-dailymotion '+o+'" '+l+' width="560"
>>> height="315"
>> [...]
>> Those warnings look real to me.
>>
>> What makes you consider them false positives, Xavier?
>
> Hi Jonas,
>
> yes but the relevant lines are in if/then/else blocks:
>
> if (isVideo.youtube) {
> ... video = '<iframe ... src="//www.youtube.com/embed/' + .../>
>
> so it looks like a admin choice, Daniel maybe I'm wrong here ?
>
Acknowledgement sent
to Daniel Ring <dring@wolfishly.me>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sat, 24 Apr 2021 23:15:06 GMT) (full text, mbox, link).
To: Yadd <yadd@debian.org>, Jonas Smedegaard <jonas@jones.dk>,
972570@bugs.debian.org
Subject: Re: [Pkg-javascript-devel] Bug#972570: node-lightgallery is built
using minified files
Date: Sat, 24 Apr 2021 16:12:06 -0700
It looks like this RC bug also caused the next version of Rainloop to be
removed from bullseye before the freeze. That version contains an
relatively important security fix (bug #962629), so both Rainloop and
node-lightgallery will need to be uploaded to bullseye-backports (when
available) as well as unstable.
Sincerely,
Daniel Ring
On 4/23/2021 9:35 PM, Daniel Ring wrote:
> The warnings are already overridden in the current version on Salsa,
> since the Youtube/Vimeo/etc. embeds are only loaded when Lightgallery is
> used to display a video from that source (e.g. by passing it a Youtube
> link).
>
> Sincerely,
> Daniel Ring
>
> On 4/23/2021 12:31 PM, Yadd wrote:
>> Le 23/04/2021 à 19:03, Jonas Smedegaard a écrit :
>>> Quoting Yadd (2021-04-23 17:47:23)
>>>> Control: tags -1 + pending
>>>>
>>>> Le 23/04/2021 à 09:44, Daniel Ring a écrit :
>>>>> Hello Xavier,
>>>>>
>>>>> It looks like the build process was minifying the source files to the
>>>>> destination *.js files and copying the pre-minified files to
>>>>> *.min.js. I
>>>>> corrected it to copy the unminified files directly and minify them to
>>>>> *.min.js.
>>>>>
>>>>> I also updated the package on Salsa to exclude the minified
>>>>> modules/*.min.js files via Files-Excluded in d/copyright, so
>>>>> they're no
>>>>> longer in the source package at all.
>>>>>
>>>>> Sincerely,
>>>>> Daniel Ring
>>>>
>>>> Hi,
>>>>
>>>> looks good to me, thanks! Could you also ignore these warnings in a
>>>> debain/lintian-overrides? It looks like false positive
>>>>
>>>> Cheers,
>>>> Yadd
>>>>
>>>> W: node-lightgallery: privacy-breach-generic
>>>> usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
>>>> class="lg-video-object lg-dailymotion '+o+'" '+l+' width="560"
>>>> height="315"
>>> [...]
>>> Those warnings look real to me.
>>>
>>> What makes you consider them false positives, Xavier?
>>
>> Hi Jonas,
>>
>> yes but the relevant lines are in if/then/else blocks:
>>
>> if (isVideo.youtube) {
>> ... video = '<iframe ... src="//www.youtube.com/embed/' + .../>
>>
>> so it looks like a admin choice, Daniel maybe I'm wrong here ?
>>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>: Bug#972570; Package node-lightgallery.
(Sun, 03 Oct 2021 19:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Joe Nahmias <joe@nahmias.net>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sun, 03 Oct 2021 19:45:03 GMT) (full text, mbox, link).
Cc: Yadd <yadd@debian.org>, Jonas Smedegaard <jonas@jones.dk>,
972570@bugs.debian.org
Subject: Re: [Pkg-javascript-devel] Bug#972570: node-lightgallery is built
using minified files
Date: Sun, 3 Oct 2021 15:32:55 -0400
Hello,
Now that bullseye has been released, would it be possible to upload a fix
for this to unstable? That would allow node-lightgallery and rainloop to
migrate to testing (bookworm) and then be backported to bullseye.
If you are not able to do this at the moment, due to time constraints, I'm
happy to prepare the upload based on what's in Salsa, as long as it's okay
with the JS team.
Thanks,
--Joe
On Sat, Apr 24, 2021 at 04:12:06PM -0700, Daniel Ring wrote:
> It looks like this RC bug also caused the next version of Rainloop to be
> removed from bullseye before the freeze. That version contains an relatively
> important security fix (bug #962629), so both Rainloop and node-lightgallery
> will need to be uploaded to bullseye-backports (when available) as well as
> unstable.
>
> Sincerely,
> Daniel Ring
>
> On 4/23/2021 9:35 PM, Daniel Ring wrote:
> > The warnings are already overridden in the current version on Salsa,
> > since the Youtube/Vimeo/etc. embeds are only loaded when Lightgallery is
> > used to display a video from that source (e.g. by passing it a Youtube
> > link).
> >
> > Sincerely,
> > Daniel Ring
> >
> > On 4/23/2021 12:31 PM, Yadd wrote:
> > > Le 23/04/2021 à 19:03, Jonas Smedegaard a écrit :
> > > > Quoting Yadd (2021-04-23 17:47:23)
> > > > > Control: tags -1 + pending
> > > > >
> > > > > Le 23/04/2021 à 09:44, Daniel Ring a écrit :
> > > > > > Hello Xavier,
> > > > > >
> > > > > > It looks like the build process was minifying the source files to the
> > > > > > destination *.js files and copying the pre-minified
> > > > > > files to *.min.js. I
> > > > > > corrected it to copy the unminified files directly and minify them to
> > > > > > *.min.js.
> > > > > >
> > > > > > I also updated the package on Salsa to exclude the minified
> > > > > > modules/*.min.js files via Files-Excluded in
> > > > > > d/copyright, so they're no
> > > > > > longer in the source package at all.
> > > > > >
> > > > > > Sincerely,
> > > > > > Daniel Ring
> > > > >
> > > > > Hi,
> > > > >
> > > > > looks good to me, thanks! Could you also ignore these warnings in a
> > > > > debain/lintian-overrides? It looks like false positive
> > > > >
> > > > > Cheers,
> > > > > Yadd
> > > > >
> > > > > W: node-lightgallery: privacy-breach-generic
> > > > > usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
> > > > > class="lg-video-object lg-dailymotion '+o+'" '+l+' width="560"
> > > > > height="315"
> > > > [...]
> > > > Those warnings look real to me.
> > > >
> > > > What makes you consider them false positives, Xavier?
> > >
> > > Hi Jonas,
> > >
> > > yes but the relevant lines are in if/then/else blocks:
> > >
> > > if (isVideo.youtube) {
> > > ... video = '<iframe ... src="//www.youtube.com/embed/' + .../>
> > >
> > > so it looks like a admin choice, Daniel maybe I'm wrong here ?
> > >
>
Reply sent
to Yadd <yadd@debian.org>:
You have taken responsibility.
(Mon, 11 Oct 2021 09:24:04 GMT) (full text, mbox, link).
Notification sent
to Xavier Guimard <yadd@debian.org>:
Bug acknowledged by developer.
(Mon, 11 Oct 2021 09:24:05 GMT) (full text, mbox, link).
Subject: Bug#972570: fixed in node-lightgallery 1.9.0+dfsg-1
Date: Mon, 11 Oct 2021 09:21:55 +0000
Source: node-lightgallery
Source-Version: 1.9.0+dfsg-1
Done: Yadd <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-lightgallery, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 972570@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-lightgallery package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 Oct 2021 11:04:20 +0200
Source: node-lightgallery
Architecture: source
Version: 1.9.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 972570
Changes:
node-lightgallery (1.9.0+dfsg-1) unstable; urgency=medium
.
* Team upload
.
[ Debian Janitor ]
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Submit.
* Remove obsolete fields Contact, Name from debian/upstream/metadata (already
present in machine-readable debian/copyright).
* Update standards version to 4.5.0, no changes needed.
.
[ Yadd ]
* Bump debhelper compatibility level to 13
* Add "Rules-Requires-Root: no"
* Add debian/gbp.conf
* Use dh-sequence-nodejs auto install
+ Ignore minimal test: not a real node module
+ Fix "files" field
* Update exclude list
* New upstream version 1.9.0+dfsg
* Update patch
* Provides libjs-lightgallery
.
[ Daniel Ring ]
* Exclude unused minified files from source package
* Fix module minification and copying (Closes: #972570)
.
[ Yadd ]
* Update standards version to 4.6.0, no changes needed.
Checksums-Sha1:
61ac86ffc7ebc1344228ff8adb29d431b7bf555d 2244 node-lightgallery_1.9.0+dfsg-1.dsc
49c02a4e307eabb5dc0943dd18c6534cb72a6357 2737700 node-lightgallery_1.9.0+dfsg.orig.tar.xz
0cb4352da49aa3023406cd61dbe71ab516cfc256 4216 node-lightgallery_1.9.0+dfsg-1.debian.tar.xz
Checksums-Sha256:
9b62526b5c7729b249c56b7496fcef38da824ee9ebdfa1d79a150b2cfb40663e 2244 node-lightgallery_1.9.0+dfsg-1.dsc
baa2c286d9f1c2a5368118d4f7c52151f1d2bb0f39825ddb6769e941b3534e3b 2737700 node-lightgallery_1.9.0+dfsg.orig.tar.xz
e2deea683a0674ec3214ad9f6945202558a678c81c53674979e645418ca4eef9 4216 node-lightgallery_1.9.0+dfsg-1.debian.tar.xz
Files:
2adfc3683087eb317b0490cd4dd38b96 2244 javascript optional node-lightgallery_1.9.0+dfsg-1.dsc
1f132696fbab547d0c6382d166ed6d07 2737700 javascript optional node-lightgallery_1.9.0+dfsg.orig.tar.xz
b100038fa2ad95d368d299497a78279f 4216 javascript optional node-lightgallery_1.9.0+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmFj/ocACgkQ9tdMp8mZ
7uluZQ//fOlTQpS3GPqMn2Jirn6wA7gNjdPCCUYgL8X2q3CDPEoYCumoCddthUq/
6DOJ3+YTuYlb5i/GYYu9izONuvIzSxJBhZHD2KPyxOPv49JIru0lRMcX4/SNAa36
7XPh1IfbvPjwNmZx6DYNUn/zwDCcjWFM4gNa9eCP+bvGvF7B8TYsqh/mF3Z1AgkE
i3xfZX/O24hDm1oq5wNLfOMCPWJ+QK06Ma/idxqQXG8aJPKJ0UaXHIOZUVXHx3Sx
OetBUTjDve1I29V1UiB3062k8UIQMdDqIl9Ub4iQTNe2Un9OY7FkekHa8Qx92a6l
9uXUGdj3rhuYbG45LWEX3mKhzV8YLgLmi/2F7e4cLqgL2jg/Jsl/8GoINdYNkxBL
NQkpBOY8J8VPnnxYhGhRvLi6SemMDSvQhUJUtiWm2bcmGHFhXnSi8Da0nV/R48JR
69LMGNpnu/frdka35YNzZwgK82XcjS/HNaY0DkNUYyH6qpGRSiKsWlvOArFy2+sa
bvLxOWgLjm09apVMjamUNiL0ugX6JpdnYt8eWi/DZdqhbpp44A5yx/eF0oQ9R6DO
dMuXCokMlbLeP/xU9ckx3Q5fxqimrwfsuhm7kwQ+uG2v5diKmk5UYaVftN42/ouC
GO+eI044enRkuppf4SEhrGTShy39szE1WKuTDtn97iLP3W2mLXQ=
=SJ5O
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>: Bug#972570; Package node-lightgallery.
(Wed, 13 Oct 2021 06:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Ring <dring@wolfishly.me>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Wed, 13 Oct 2021 06:57:04 GMT) (full text, mbox, link).
Cc: Yadd <yadd@debian.org>, Jonas Smedegaard <jonas@jones.dk>,
972570@bugs.debian.org
Subject: Re: [Pkg-javascript-devel] Bug#972570: node-lightgallery is built
using minified files
Date: Tue, 12 Oct 2021 23:43:57 -0700
Hello,
The package on Salsa should be ready for upload and backport. It wasn't
uploaded at the time due to the release freeze, and it's been waiting
for review since then.
I'd have uploaded it myself after the freeze ended, but I haven't been
able to get my GPG key signed due to the pandemic so I don't have
maintainer access.
Sincerely,
Daniel Ring
On 10/3/2021 12:32 PM, Joe Nahmias wrote:
> Hello,
>
> Now that bullseye has been released, would it be possible to upload a fix
> for this to unstable? That would allow node-lightgallery and rainloop to
> migrate to testing (bookworm) and then be backported to bullseye.
>
> If you are not able to do this at the moment, due to time constraints, I'm
> happy to prepare the upload based on what's in Salsa, as long as it's okay
> with the JS team.
>
> Thanks,
> --Joe
>
> On Sat, Apr 24, 2021 at 04:12:06PM -0700, Daniel Ring wrote:
>> It looks like this RC bug also caused the next version of Rainloop to be
>> removed from bullseye before the freeze. That version contains an relatively
>> important security fix (bug #962629), so both Rainloop and node-lightgallery
>> will need to be uploaded to bullseye-backports (when available) as well as
>> unstable.
>>
>> Sincerely,
>> Daniel Ring
>>
>> On 4/23/2021 9:35 PM, Daniel Ring wrote:
>>> The warnings are already overridden in the current version on Salsa,
>>> since the Youtube/Vimeo/etc. embeds are only loaded when Lightgallery is
>>> used to display a video from that source (e.g. by passing it a Youtube
>>> link).
>>>
>>> Sincerely,
>>> Daniel Ring
>>>
>>> On 4/23/2021 12:31 PM, Yadd wrote:
>>>> Le 23/04/2021 à 19:03, Jonas Smedegaard a écrit :
>>>>> Quoting Yadd (2021-04-23 17:47:23)
>>>>>> Control: tags -1 + pending
>>>>>>
>>>>>> Le 23/04/2021 à 09:44, Daniel Ring a écrit :
>>>>>>> Hello Xavier,
>>>>>>>
>>>>>>> It looks like the build process was minifying the source files to the
>>>>>>> destination *.js files and copying the pre-minified
>>>>>>> files to *.min.js. I
>>>>>>> corrected it to copy the unminified files directly and minify them to
>>>>>>> *.min.js.
>>>>>>>
>>>>>>> I also updated the package on Salsa to exclude the minified
>>>>>>> modules/*.min.js files via Files-Excluded in
>>>>>>> d/copyright, so they're no
>>>>>>> longer in the source package at all.
>>>>>>>
>>>>>>> Sincerely,
>>>>>>> Daniel Ring
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> looks good to me, thanks! Could you also ignore these warnings in a
>>>>>> debain/lintian-overrides? It looks like false positive
>>>>>>
>>>>>> Cheers,
>>>>>> Yadd
>>>>>>
>>>>>> W: node-lightgallery: privacy-breach-generic
>>>>>> usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
>>>>>> class="lg-video-object lg-dailymotion '+o+'" '+l+' width="560"
>>>>>> height="315"
>>>>> [...]
>>>>> Those warnings look real to me.
>>>>>
>>>>> What makes you consider them false positives, Xavier?
>>>>
>>>> Hi Jonas,
>>>>
>>>> yes but the relevant lines are in if/then/else blocks:
>>>>
>>>> if (isVideo.youtube) {
>>>> ... video = '<iframe ... src="//www.youtube.com/embed/' + .../>
>>>>
>>>> so it looks like a admin choice, Daniel maybe I'm wrong here ?
>>>>
>>
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 13 Nov 2021 07:28:56 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.