Closed Bug 699739 Opened 13 years ago Closed 13 years ago

Update known libaries hashes whitelist

Categories

(addons.mozilla.org Graveyard :: Add-on Validation, defect)

Product:
addons.mozilla.org Graveyard
Component:
Add-on Validation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: TheOne, Assigned: basta)

References

(
URL
)

Details

(Whiteboard: [ReviewTeam]) 

Please update the libraries hashes whitelist so it recognizes recent jQuery versions. At least v.1.6.4 (min) is not recognized.
Also, it would be really good to know which file each hash belongs to.
Whiteboard: [required amo-editors]
Target Milestone: --- → 6.3.0
Target Milestone: 6.3.0 → 6.3.1
I think this is just running a script.  Matt: do you have time for this?
Assignee: nobody → mattbasta
This pull should address all of the jQuery versions prior to 1.7:

https://github.com/mozilla/amo-validator/pull/93

The only thing about this pull is that new Jetpack stuff has been merged into master since it was made, so I'll rebase that stuff out when I have a minute. Jasmine sent me the student worker contract with a start date in a few days, so I can just take care of this once things are all signed and wrapped up.

With regard to version numbers, that's a tough one. Hashes aren't generated by version number, they're generated by URL. The reason is because there are multiple versions of each version (i.e.: unminified, minified, packed, etc.). That would be better off as a separate bug, but I'd be curious as to whether listing the version would be particularly important, since virtually all JS libraries list their version number in the head of the file (even minified ones). Is there a particular scenario where knowing which version of the library being flagged is important?
Well I guess it's not particularly important, but when a library is not known by the validator, it's completely unknown whether that version has just not yet been added or whether the author modified a version the validator knows about.

So with a quick look at the whitelist file, an editor could easily search for the version number there and see if there is an entry (with a different md5sum) or whether the editor has to go to the libraries website and download and md5sum the original version manually.

That's not a big deal itself, but the validator whitelist has been outdated quite a couple of times and authors often use a very recent version of their library.

If it's too much effort to effort to implement it for this scenario, that's ok. But then, please consider running that whitelist update script on a regular base and not just on request.
Matt: If we remove the files from the repository (just have the code look in a directory for them and fail gracefully if they aren't there) we can add the update script to our deployment script and have it run whenever we push (assuming it runs relatively quickly).  I can help with the deployment stuff.
Target Milestone: 6.3.1 → 6.3.2
Target Milestone: 6.3.2 → 6.3.3
I've updated the pull request with more JS libraries and a few minor tweaks. It should be good to go.

https://github.com/mozilla/amo-validator/pull/93
Merged:

https://github.com/mozilla/amo-validator/commit/621728dc616c80e9c50caa665b1268d308e5cf4a
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Reclassifying editor bugs and changing to a new whiteboard flag. Spam, spam, spam, spam...
Whiteboard: [required amo-editors] → [ReviewTeam]
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.