Tuesday, October 31, 2017

Issues with the Dojo package on Debian

On main thing that is currently (and has been) delaying the update of the LedgerSMB package in Debian is that it depends on the Dojo package and that has not been updated to a more current version.  The version even in Debian Unstable ('Sid') is only at v1.11.0 while IIRC, the version the LedgeSMB 1.5.x series has been built against is at v1.12.2.
And issues related to Dojo also prevented any version of LedgerSMB from being released with Debian v9 ('Stretch'), because the dojo package was removed from there due to a Failure To Build From Source (FTBFS) bug, #852923. And so LedgerSMB was also removed from Stretch prior to the release of Debian v9 because it depends on the Dojo packages.  (And is still not present in the current Debian Testing, 'Buster', for the same reason.)
That bug is tagged as being "fixed-upstream".  That often means that it was fixed in a newer version of upstream.  What is generally used in Debian to track upstream sources is the debian/watch file. And what is commonly used as a referernce for the results and status of that are in the Package QA and PackageTracker pages for the packages in question, because part of what they display are the results of checks regarding the upstream sources.
However, in the case of Dojo; all that has been getting displayed is an error about not being able to access the upstream archive:
The package has a debian/watch file, but the last attempt to use it for checking for newer upstream versions failed with an error:In watchfile debian/watch, reading webpage failed: 404 Not Found
Which showed that the process was able to find what seemed to be a newer version but was not able to access it. The same thing happens if one goes to the downloads page directly and attempts to download the achive that way (It was listed under 'Other Projects' in the 2nd column of the page.  The link itself shows as the

$ wget
--2017-10-22 09:40:06--
Resolving (
Connecting to (||:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2017-10-22 09:40:06 ERROR 404: Not Found.

That has been the status for quite awhile and I had not seen any updated information, or even any comment, about it in the bug or anywhere else. So I thought I'd do some more research of my own, and one thing I did was to post the following to the dojo IRC channel on freenode:
There seems to be a problem with the 'shrinksafe' link on the downloads page;  attempting to access it in order to download the archive just results in a  'ERROR 404: Not Found" error.
After some discussion clarifying what I was referring to, a response to that was as follows:
it was bundled separately in the dojo 1.1 - 1.3 days
so likely just a left over...
Apropos to that, the original packaging for Dojo when it was brought into Debian was back in 2010 with Dojo v1.3.2, so that matches up.

One thing that was also mentioned by that same someone in the dojo IRC channel, when I mentioned that this was related to the dojo Debian package:
"any serious user will either use a custom build or a CDN reference"
Well perhaps that just shows his (and others who hold similar opinons)  lack of knowledge regarding Debian and Debian packages more than anything else, because after all a Debian package is a "custom build";  one that in this case installs the javascript libraries to a specific and standard directory on a Debian system so that it can be available to whatever would like to use them.

I also sent an email to server-ops at the dojotoolkit site about the issue, advising of the error resulting from attempting to access the archive at the link provided on the downloads page, wondering if that link is even still relevent and closing with the following:
So I'm wondering if the dojo-release-1.13.0-src.tar.gz archive, for instance, has entirely replaced an archive like dojo-release-1.13.0-shrinksafe.tar.gz which is not available any longer because it's no longer needed.
The response I received back regarding that included the following:
Usage of ShrinkSafe is declining and while not formally deprecated, it really hasn't been updated in quite a while other than to make sure it's not broken. Most people today would use either Closure Compiler, Uglify, or webpack.
And yes, the dojo-release tarball would be a suitable replacement.

That all certainly explains why that 'shrinksafe' archive is no longer available (although perhaps not why it's still  being referenced on the Dojo downloads page.

However, I next decided to clone the Debian Dojo packaging Git reposotory to take a direct look at the packaging and its history.  When I checked the most recent version of the debian/watch file there, I found that it is already pointing to the 'src' archive rather than the 'shrinksafe' archive.  Downloaded the most current version in Debian Unstable and checked the debian/watch file there, and found that there it is also pointing to the 'src' file.  So the question becomes;  why are the sites like the still referencing the wrongURL?
What seems to be happening is that the uscan process is not looking in the release subdirectories, even though that seems to be intent of "/release-(\d.*)/" part of the URL being looked at. What I found is that, apparrantly with the 1.11.0~rc3+dfsg-1 verison of the package, the debian/watch file stops working correctly, while in the previous version 1.10.4+dfsg-2 it does works correctly.  The difference appearing to be changing "/release-([\d\.]*)/"   to  "/release-(\d.*)/" in the URL template part the command, apparently instended to "Support development versions" according to the 1.11.0~rc3+dfsg-1  debian/changelog.  Adding those square brackets back in allows it to correctly find and repack the correct version of the archive, which is currently for 1.13.0 (dojo 2 having not yet been released and in any case it's not yet clear that they will be releasing that on the same page).
Sent an update to the debian bug about the issue.

No comments:

Post a Comment