The new ipython notebook bundles a lot of javascript stuff, which is not yet included in fedora.
Therefore, I'd like to ask for a temporary bundling exception similarly to ticket #408 for '''backbone, bootstrap, jquery, jquery-ui '''and''' marked''' until they are shipped in Fedora. The ipython package will then be update to unbundle the rest of it.
Another special case is '''google-caja''', which seems to be put together by one of the ipython maintainers as a github mirror of the google sources at: https://github.com/minrk/google-caja-bower As the maintainer is the same like in ipython, the github source and the ipython source will always be 100% the same, which makes this more or less a copylib. I don't know if it is reasonable to do it in a similar fashion and copy somehow the google sources into fedora, just to unbundle it in ipython. What is your opinion to the latter? Is it allowed to get a bundling exception for google-caja?
Sorry, I forgot some other bundled libraries: '''bootstrap-tour''' and '''codemirror'''. Please add them to the temporary bundling exception from above...
+1 for temporary exception from me. Please do try to unbundle everything.
-1 from me.
4 weeks ago I would have agreed to an exception, but in the ages of Heartbleed, the amount of bundling requested here qualifies as irresponsible and thus the package as "not ready" for inclusion.
+1
Let's be practical here. I don't see how some Javascript UI libraries running in the browser could have a serious impact on security, especially in the context of IPython notebook, which the majority of users run and access on their local machine [citation needed]. This is just not comparable to OpenSSL.
This was discussed in the meeting from 2014-04-17 and quoting from [1]:
"Need one more from Rathann or abadger1999 in ticket"
As rathann has voted above with +1 (but corsepiu with -1), does that mean, this is now granted?
[1] http://meetbot.fedoraproject.org/fedora-meeting-1/2014-04-17/fpc.2014-04-17-16.00.log.html
jquery temporary exception lasts until the release that jquery enters the repository. For now, plan on temporary exception for other libraries will expire one release after jquery unbundling has entered the repository. Lessons from the jquery unbundling may lead us to change that time frame as it is our proof of concept of how to unbundle.
@patches/jamielinux: Do the following virtual provides look correct? We'd want them to match the eventual package names: {{{ Provides: bundled(backbone) Provides: bundled(bootstrap) Provides: bundled(jquery) Provides: bundled(jquery-ui) Provides: bundled(marked) Provides: bundled(google-caja) }}} Hmm... we didn't consider the notes about google-caja separately when we made the temporary exception. If you want to revisit it when the temporary exception expires, that would be fine. I think that we'd probably first want to see if it can be unbundled. If so, it should be. If not, then the same-upstream precedent might be enough to pass a permanent exception.
@afleig: javascript library security was already discussed and it was decided that security in javascript is just as important as any other code that we ship. It's worth noting that we discussed the separation of which CPU the code is running on as one possible difference between JavaScript and other languages however even that (rejected criteria) doesn't seem to apply here if, as you say, the majority of uses of this particular code is running on the user's local machine. UI libraries, scripting language libraries, and other code running in supposed sandboxes all have the potential for security vulnerabilities. javascript isn't really special in any of those regards.
I'd like it if we used the "js-" prefix where appropriate, although as a matter of practicality I'm probably going to repoquery for both when the time comes. :-)
Provides: bundled(backbone) This is a pure JavaScript library so it should be "js-backbone" Provides: bundled(jquery)
Provides: bundled(backbone) This is a pure JavaScript library so it should be "js-backbone"
Provides: bundled(jquery)
Should be "js-jquery" if this uses JQuery 2.x or else "js-jquery1" if this uses JQuery 1.x.
Provides: bundled(marked)
The "marked" package in Fedora contains a CLI markdown compiler for nodejs that uses the marked library, so definitely this needs to be "js-marked".
Speaking of that, this might be quickly fixable since we already have a nodejs marked package. I'll take a look at the necessary dependencies for building a browser version; we might be in luck and already have everything.
Provides: bundled(google-caja)
I guess "js-google-caja" here too, since it definitely doesn't bundle the Java component, just JavaScript bits. Packaged properly I suppose we'd have a main "google-caja" package with the Java compiler component and a "js-google-caja" subpackage with JS runtime components.
Replying to [comment:8 patches]:
This one was really easy actually. :-)
http://pkgs.fedoraproject.org/cgit/marked.git/commit/?id=de10c87f5e28d9cf307f41d33560fde343167458
There's now a js-marked package in rawhide and on the way to updates-testing for F20, F19, and EPEL6. Please let us know if you have any trouble with it.
Replying to [comment:9 patches]:
Replying to [comment:8 patches]: Speaking of that, this might be quickly fixable since we already have a nodejs marked package. I'll take a look at the necessary dependencies for building a browser version; we might be in luck and already have everything. This one was really easy actually. :-) http://pkgs.fedoraproject.org/cgit/marked.git/commit/?id=de10c87f5e28d9cf307f41d33560fde343167458 There's now a js-marked package in rawhide and on the way to updates-testing for F20, F19, and EPEL6. Please let us know if you have any trouble with it.
Works like a charm. Thanks! :)
Here is what I intend to Provide, is that fine?
{{{
Provides: bundled(js-backbone) Provides: bundled(bootstrap) Provides: bundled(js-bootstrap) Provides: bundled(bootstrap-tour) Provides: bundled(js-bootstrap-tour) Provides: bundled(codemirror) Provides: bundled(js-codemirror) Provides: bundled(js-jquery) Provides: bundled(js-jquery-ui) Provides: bundled(js-google-caja) }}}
The following JS stuff has now already been unbundled: {{{ fontawesome-fonts-web nodejs-requirejs nodejs-underscore js-highlight js-marked }}}
I hope I didn't miss something. Any double checking is highly appreciated. The changes are now pushed to
http://pkgs.fedoraproject.org/cgit/ipython.git/?h=next
And a scratch build is at
http://koji.fedoraproject.org/koji/taskinfo?taskID=6883972
I guess, I can take the marked package as an example for a google-caja package. Will have a look at that after ipython is working fine in rawhide.
Login to comment on this ticket.