Debian Bug report logs - #903428
javadocs generated by javahelper include jquery

Package: javahelper; Maintainer for javahelper is Debian Java Maintainers <[email protected]>; Source for javahelper is src:javatools (PTS, buildd, popcon).

Reported by: Thomas Koch <[email protected]>

Date: Mon, 9 Jul 2018 19:51:02 UTC

Severity: important

Tags: newcomer

Full log

Message #78 received at [email protected] (full text, mbox, reply):

Received: (at 903428) by bugs.debian.org; 11 Aug 2018 18:12:37 +0000
From [email protected] Sat Aug 11 18:12:37 2018
X-Spam-Checker-Version: SpamAssassin 3.4.1-bugs.debian.org_2005_01_02
	(2015-04-28) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-19.5 required=4.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,FROMDEVELOPER,
	HAS_BUG_NUMBER,HEADER_FROM_DIFFERENT_DOMAINS,MURPHY_DRUGS_REL8,PGPSIGNATURE,
	RCVD_IN_DNSWL_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no
	version=3.4.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 11; hammy, 150; neutral, 88; spammy,
	0. spammytokens: hammytokens:0.000-+--H*c:pgp-sha512, 0.000-+--H*F:U*tmancill,
	 0.000-+--H*c:pgp-signature, 0.000-+--H*c:protocol, 0.000-+--H*c:micalg
Return-path: <[email protected]>
Received: from mail-pl0-x232.google.com ([2607:f8b0:400e:c01::232])
	by buxtehude.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.89)
	(envelope-from <[email protected]>)
	id 1foYNQ-0000NO-W0
	for [email protected]; Sat, 11 Aug 2018 18:12:37 +0000
Received: by mail-pl0-x232.google.com with SMTP id u11-v6so5307918plq.5
        for <[email protected]>; Sat, 11 Aug 2018 11:12:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:date:from:to:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=9dr237wIkT8Vm90ce88YTkPHb8iYOFXKDnsTzB7Hcl0=;
        b=iX6Lgx4Trv+D350k3oHFXQMPRHYg7fWg/0FpL7sKiLdsEdVY9YmovbgKDikiY0aAR6
         PWigbdL0qmoItXhui1pjSprY0p+jhPivZSjd0ub23GBQCUO/khNLnHOeXSJRxuYViESy
         gIO8NsAmjDVCXvDv1jgr0aGHJg2GenvtuNY5bH5K6Cew6bwulhh+3ir7y9EJuLPGE7qP
         5Uv1KLTHhyKQd3x4uWRpR/Rd5fIwSjrhA7+a4tbCkSPPdbIDoVjKVnMIsHfstLRlD6KH
         i+5ecqPcoeKeGP/1hLy5aze3W7O8FDbfQf/8UB+jOVTfi0xEsQdkwQzcLbq789nEVJap
         /imA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:date:from:to:subject:message-id
         :references:mime-version:content-disposition:in-reply-to:user-agent;
        bh=9dr237wIkT8Vm90ce88YTkPHb8iYOFXKDnsTzB7Hcl0=;
        b=PdeeaJMITjJKmy+0ApRb+Xqlp+5ItwrNLgurzJEgi/s1mGg6WLmzajMhD5OdnpFzOS
         03xyi/5VYr0TMnyl5lAsvlcxOjrieiK5EHWtwdfIJ2e7lEnnnadpdgmW6pbrXd14UGTo
         fz1I/9IKsdxTmwDLR74DBHtTIRl5RNqa95yhgVE61KxmjyNXboGzK6mD2xDhFDcyA3pa
         Zg1LInjzmnsEmgT1nZ3FqXTPvJv47sqPlrHi/SaTfXD/HZNAOumjojFB2Zw73z/YC+u0
         KXiwrVYB6kQK/LsyjWimoF3GmjEOa4IkNwG/4M6szsq5QHLk1jw/Tbb24LTo2P7gNJrF
         FNyw==
X-Gm-Message-State: AOUpUlGhcTATaLeXDvc/2m3aDJTfxZSj1pR/EvaCWmAKaj7bPRLRnXWz
	XOe2ZZUFLEdBI0oFIDjg4kI=
X-Google-Smtp-Source: AA+uWPykRjlV/7wjZuYBbRPITyYmRZeuyXkYTB6Isk8CEv/oWAZo+qkALxXQoTkmne8AuZHPy7ECLw==
X-Received: by 2002:a17:902:a50e:: with SMTP id s14-v6mr530508plq.247.1534011155556;
        Sat, 11 Aug 2018 11:12:35 -0700 (PDT)
Received: from lark (c-71-63-172-48.hsd1.wa.comcast.net. [71.63.172.48])
        by smtp.gmail.com with ESMTPSA id y63-v6sm18861225pgd.94.2018.08.11.11.12.33
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sat, 11 Aug 2018 11:12:33 -0700 (PDT)
Sender: tony mancill <[email protected]>
Date: Sat, 11 Aug 2018 11:12:32 -0700
From: tony mancill <[email protected]>
To: Markus Koschany <[email protected]>, [email protected]
Subject: Re: Bug#903428: javadocs generated by javahelper include jquery
Message-ID: <20180811181232.GB27501@lark>
References: <[email protected]>
 <153116570013.52934.7173586082571911770.reportbug@thk1.roam.corp.google.com>
 <20180710032231.GA12743@lark>
 <[email protected]>
 <153116570013.52934.7173586082571911770.reportbug@thk1.roam.corp.google.com>
 <20180717050015.GB2211@lark>
 <153116570013.52934.7173586082571911770.reportbug@thk1.roam.corp.google.com>
 <[email protected]>
 <153116570013.52934.7173586082571911770.reportbug@thk1.roam.corp.google.com>
 <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="+g7M9IMkV8truYOl"
Content-Disposition: inline
In-Reply-To: <[email protected]>
User-Agent: Mutt/1.10.1 (2018-07-13)

[Message part 1 (text/plain, inline)]
On Sat, Aug 11, 2018 at 10:12:03AM +0200, Markus Koschany wrote:
> FTR: I have talked to Matthias Klose (doko) at DebConf18 about the
> embedding of jquery into javadoc packages. He pointed me to a similar
> discussion in doxygen which also embeds jquery while building doc packages.
> 
> In short he doesn't consider it to be a worthwhile task because there is
> a risk of breaking the documentation when Debian's system jquery version
> is either too old or too new. The security risk of embedding jquery is
> also rather low in this case because the documentation is static in
> contrast to web applications and it is unlikely that users would be
> affected by jquery vulnerabilities.
> 
> README.jquery in doxygen explains the problem in more detail.
> 
> https://sources.debian.org/src/doxygen/1.8.13-10/debian/README.jquery/
> 
> All in all there is no chance that a patch to change the current
> situation would be accepted, hence I no longer intend to spend time on it.

Hi Markus,

I'm glad that you were able to discuss this directly with Matthias, and
thank you for sharing the gist of that conversation.  For our sanity, I
will take a look to see if we can get the severity of the lintian
warning [1] reduced to some lower level (pedantic?) or completely
ignored for javadoc packages.

Cheers,
tony

[1] https://lintian.debian.org/tags/embedded-javascript-library.html

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 14:25:37 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.