bump jquery to 3.4.1 and update linking

[kevgreen-ebay-com]

#529

[coveralls]

Coverage remained the same at 81.306% when pulling 0492c69 on kevgreen-ebay-com:529-jquery-out-of-date-vs-v1.1.0 into 82c4897 on voxpupuli:master.

[kevgreen-ebay-com]

I've tested this doesn't generate any HTTP errors, except favicon.ico, but I don't think that's provided in the code anyway, and had a glance at my browser's script console and don't think it's caused any extra troubles. There is a possibility of incompatibility between jquery and related js code that sits alongside it, but I would not know how to test for that really.

[anarcat]

thanks for the pull request!

i wonder how to review this. because we commit the .min.js file directly, there's basically no way of reviewing this code reliably without recompiling it or comparing with another source, at which point it's basically the same as doing the patch ourselves...

shouldn't we fetch this file as part of the build process or something?

in any case, i'm happy to merge this if someone (else?) makes sure the JS is trustworthy...

[kevgreen-ebay-com]

Honestly, I really haven't put anything nefarious on top of the distribution version of jquery:

$:puppetboard/puppetboard/static/jquery-3.4.1$ md5sum jquery.min.* 220afd743d9e9643852e31a135a9f3ae jquery.min.js
04b42631197bc74a486afe5b76699779 jquery.min.map
$:puppetboard/puppetboard/static/jquery-3.4.1$ wget -q https://code.jquery.com/jquery-3.4.1.min.map https://code.jquery.com/jquery-3.4.1.min.js
$:puppetboard/puppetboard/static/jquery-3.4.1$ md5sum jquery-3.4.1.min.*
220afd743d9e9643852e31a135a9f3ae jquery-3.4.1.min.js
04b42631197bc74a486afe5b76699779 jquery-3.4.1.min.map
$:puppetboard/puppetboard/static/jquery-3.4.1$

Now, whether or not you trust the vendors of jquery itself not to do anything nefarious, well, that is another matter ;)

Fetching it as a part of the build process probably makes a lot more sense, but you'd need a sane workaround for the versioned path and filename situation in your pipeline, while still being able to demonstrate which version of jquery belongs with which version of puppetboard. Shouldn't be too hard though.

[anarcat]

Honestly, I really haven't put anything nefarious on top of the distribution version of jquery:

well of course you'd say that. :) that's not the point, the point is for us to figure out how we make sure you're telling the truth, or maybe avoid that requirement altogether so that we don't have that awkward conversation again in the future. :p

Fetching it as a part of the build process probably makes a lot more sense, but you'd need a sane workaround for the versioned path and filename situation in your pipeline, while still being able to demonstrate which version of jquery belongs with which version of puppetboard. Shouldn't be too hard though.

maybe we could commit checksums in the build system, for example. alternatively what we do in Debian packaging is we check upstream OpenPGP signatures so that we know we at least get what we expect from upstream.

now whether we actually trust upstream is a whole other ball game of course, but maybe we can assume enough eyeballs are looking at jquery for that not to matter for this specific project?