The sao application built artifacts are merged with its very source tree, making it very difficult to trim sources and dependency sources from the few files that ought to be actually served for SAO to work.
All sources are available for download in tryton servers, e.g.
- https://demo6.8.tryton.org/package.json
- https://demo6.8.tryton.org/CHANGELOG
- Sao Test Suite
- https://demo6.8.tryton.org/locale/fr.po
- https://demo6.8.tryton.org/bower_components/c3/docs/index.html.haml
This is borderline a vulnerability CWE - CWE-668: Exposure of Resource to Wrong Sphere (4.11) if everything wasn’t FOSS, but still screams bad practices.
Biggest concern is that SAO builds are unnecessarily bloated, e.g. Tryton’s official docker image
$ docker run --rm -ti tryton/tryton du -hs /var/lib/trytond/www
74M /var/lib/trytond/www
while only about ~5MB worth of files are linked in index.html or retrieved via AJAX.
Namely, the distributed folder contains the bloated papaparse documentation fixtures like
48M ./www/bower_components/papaparse/docs/resources/files/big.csv
but there is no easy workaround that does not involve cherrypicking known served files (images/*.svg, locale/*.json and anything linked in index.html) but I know no canonical robust mechanism to do this.
Easiest workaround so far is to recursively download the demo server assets with wget and then fill the gaps of images and locales (unlisted in the index.html and only retrieved via AJAX)
Related discussions:
- State of the dependencies of the web client
- Feasability to replace sao (js) by python for web client
Can we discuss a plan to address this, possibly alongside a bower+grunt deprecation?