Need help building libpandoc, Haskell + C and .NET bindings for Pandoc - c

I'd love to use Pandoc in a utility I'm writing (C# console app) and I found this bindings project on GitHub, libpandoc and by extension, it's .NET bindings project, libpandoc-dotnet.
I wish the author had included the built DLL but I suppose he wanted to leave it open to future Pandoc versions.
I have no Haskell experience whatsoever, I just want the .NET bindings in the end. I'm trying to install the dependencies via cabal but I don't understand the error messages and a cursory search leads me to believe installing base is a no-no, so I'm not sure what to do.
C:\Development\Contrib\libpandoc>cabal install base-4.1.0.0
Resolving dependencies...
cabal: Could not resolve dependencies:
next goal: base (user goal)
rejecting: base-3.0.3.2, 3.0.3.1, 4.6.0.1, 4.6.0.0, 4.5.1.0/installed-7c8...,
4.5.1.0, 4.5.0.0, 4.4.1.0, 4.4.0.0, 4.3.1.0, 4.3.0.0, 4.2.0.2, 4.2.0.1,
4.2.0.0 (global constraint requires ==4.1.0.0)
rejecting: base-4.1.0.0 (only already installed instances can be used)
rejecting: base-4.0.0.0 (global constraint requires ==4.1.0.0)
If a kind soul could even build the damn thing (fork it? upload it somewhere?) I'd love you forever. Alternatively, show me how to build it properly and I can handle it from there I think. Though now that I think about it, not sure I have a C compiler installed.
Update:
OK. So it all comes down to the fact that libpandoc is 3 years old and its dependencies are out of date. I had no luck trying to get all the old Haskell tools to install and work, I probably had no idea what I was doing. I got as far as installing some dependencies but some dependencies weren't versioned so I had to track each version specifically and I eventually gave up.
I then just updated the dependency versions for libpandoc itself and now I've got all the dependencies built and linked.
The only remaining issue is that libpandoc needs to be updated to work against the latest Pandoc release (1.10).

Related

Vulnerabilities of #typescript/eslint-plugin?

There are two packages, TSLint,
https://github.com/palantir/tslint
and it's overcomer, typescript-eslint,
https://github.com/typescript-eslint/typescript-eslint
They have some same maintainer. typescript-eslint is referring to the older one in it's documentation.
Palantir is a company, that has not only with its name a twilighting taste, and I'm not sure, that this is a safe package. Their products are seen as insightful for some and as spyware for others. So it's not totally clear, if it is a benevolent contribution to the public or there might be something about it, that should be seen critical.
Especially if we have to care about personal data in our app. #typescript/eslint-plugin cannot be removed from a build environment of Create-React-App with typescript, because it is also the "parser", mentioned in ".eslintrc".
How to calm down the troubles? How to be sure, there is no leak? Or can I exclude it from the node_modules folder and be able to get a "build" from create-react-app?
The AST-scanning of a parser allows also to insert functionality to capture all content, flowing through the functions. It's easily possible to write your own rule, that can deploy a bunch of wrappers on every function call, that sends all your information to some location and needs just to be applied with eslint --fix in every file.
ESLint is not a vulnerability vector because it only touches source code. This means that in order for it to compromise your code, you have to do the following:
install a compromised eslint plugin.
manually turn on the compromised eslint rule.
run the compromised autofix via eslint --fix.
ignore the changes to your source code and ship the compromised code to production.
(1) & (2) are enough of a hurdle that it's not going to happen, or if it does then someone will very quickly detect the compromise and report a security problem.
(3) requires manual action by an engineer to cause.
(4) can easily be caught by any peer review process before merging your code, because again; eslint operates solely on source code.
create-react-app is also properly configured such that it will ensure eslint does not run on your build code. AFAIK - it also does not run ESLint when doing a production build either.
Modern JS development (like any language development that relies upon third-party code) is built upon a chain-of-trust. You trust that the packages you install and their dependencies are safe. CRA has decided that eslint, typescript-eslint, et al are all trusted - thus they include them as dependencies.
If you trust CRA, then you must trust its dependencies as well.
If you don't trust CRA or one of its dependencies - then you don't install it, and you build your own in-house solution.
tslint is safe, and always has been. If plantir was some shady company and injected malware into their package - someone would very quickly find it and report a vulnerability - destroying the credibility of the project and the company.
typescript-eslint has no relationship to palantir or tslint. The projects are entirely separate - they have different maintainers, and typescript-eslint is owned by no company.
typescript-eslint (like tslint) is also completely open source - if you're worried about anything - you can just spend the time verifying it is safe yourself.
typescript-eslint (like tslint) is also shipped to NPM (and thus to your computer) as un-obfuscated, unminified JS. You can easily spend the time to verify that the code you've received matches the code in the OSS repo and is safe.

AngularJS throws Error: [ng:cpws] Can't copy! Making copies

I installed a project from work on my personal computer and only on my machine I get this runtime error. I personally think it has to do with the way the code is compiled.
My question is why the error appears on my machine only?
Error: [ng:cpws] Can't copy! Making copies of Window or Scope instances is not supported.
https://errors.angularjs.org/1.6.7/ng/cpws
First thing I checked to see if the node and npm versions are the same and they are:
node: v8.11.3
npm: 5.6.0
OS: Windows 10
The piece of code that generates this error is using $scope.$watch(object, callback, true). After looking on the angular documentation I deleted the third parameter which seemed to be the trouble maker. After that, I encountered other problems so I asked myself why on my machine (which from an environment perspective is the same) the error appears and I stopped modifying the code and start looking on the building part.
I don't know if this will help you but the page that generates the error contains a form build using angular-formly.
Also, we are using laravel mix to compile the code.
UPDATE
I just updated the node and npm version. At first, I had some issues with the node-sass package but I solved it.
I still have the errors. :(
node: v11.10.0
npm: 6.8.0
Try to recheck if the correct version of angularjs is loaded for you. Many boilerplates declare the angular dependency using something like:
...
"angular": "^1.6.7",
...
When npm sees this it will load the latest MINOR version if the library is not in node_modules directory. If it is in the node_modules directory and it is greater or equal to 1.6 it will leave it as is. Having a package-lock file might save you from this issue if you actually commit it in the version control system that you use.
This is problematic because loading the 1.7 version might bring in backward incompatible changes (angularjs does not respect semver).

Gradle for AngularJS Application

I´m pretty new to gradle and currently there is question that bugs me. The situation appears as follows: Based on a bower technology stack I implemented an Angular App. The app as it is doesn't change nor has it to be built in any way since there are just static javascript and HTML pages. In my opinion the used versions of angular, bootstrap and other libraries should also stay the same due to compatibility of the single libraries so these files also shouldn't change. Is this a correct behavior or should I get at least the latest build of the used libraries version as I deploy the application?
Also less is used in the application. Is there a way to compile the CSS every time I run the gradle build file or should I deliver just the compiled and finished CSS file?
As a result I´m also not quite sure if it's recommended at all using gradle to deploy an "static" angular application.
I hope someone out there can help me to answer the questions above. As you can guess, I´m not very experienced at deploying of such angular applications since this is my first project with this kind of problem.
This goes for all package managers, not just gradle but npm, gem, nuget, maven, whatever.
Use static dependancy version numbers. Otherwise you will end up finding breaking dependencies in QA or Prod rather than production.
This means you need to be aware of security fixes in your dependencies.
When you need a feature or fix in a new version of your dependencies, unlock the versions, rebuild and test in dev. Re-lock the dependencies and send to QA for verification.

Combine Debian packages with libraries installed from source

On my linux (Ubuntu 11.04) development machine. I often need to install libraries from source. This always causes problems for me because the package manager doesn't consider packages installed from source when it checks dependencies. This makes the package manager worthless to me since once I install one set of libs from source (especially if they are vital to the gnome environment i.e. gstreamer), I can never use it again without screwing up my entire distro with mixed dependencies. It seems to me that it would be relatively simple to check the dependencies with pkg-config without having to worry with the deb database. I don't mind writing a little code here. Does anyone have any ideas?
Alternatively, you should look into the equivs package, which is made exactly for the purpose of creating empty .debs that will make apt/dpkg think a certain package is installed when it isn't.
Grab the source package from Debian unstable and build a .deb from that using the developer tools. If you need an even newer upstream version, you can apply the .diff.gz part of the Debian source to an upstream tarball and get a build infrastructure that has good chances of working. If if doesn't, I'm sure the package maintainer would appreciate patches to make it work with the new upstream version.
Another option would be checkinstall. It creates a .deb package containing dependency information, but also you will be able to uninstall it via package management.

Clutter Toolkit Dependencies - Ubuntu 11.04

Is there an obvious way to get Clutter Toolkit up and running in Ubuntu. It seems like there is a huge list of dependencies as I try compiling it.
The current dependency which I am unable to resolve is "cogl-pango-1.0".
Any suggestions on getting up a running with Clutter, for development?
11.04 already ships with clutter 1.6.14: http://packages.ubuntu.com/natty/libclutter-1.0-0
see also: http://packages.ubuntu.com/source/natty/clutter-1.0 for the development and documentation packages.
the dependencies list is not "huge": most of the requirements are already available in 11.04 as -devel or -dev.
if you want to build from sources, I can recommend using jhbuild: the necessary steps are provided here: http://wiki.clutter-project.org/wiki/BuildingClutter#Building_from_Git

Resources