Re: Fedora 34 Change: Stop Shipping Individual Nodejs Library Packages (Self-Contained)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

this does not seem to be self-contained, since it seems to affect people
outside the SIG (it states that this is also affecting packages that are
not owned by the SIG).

On Wed, Dec 09, 2020 at 01:44:30PM -0500, Ben Cotton wrote:
> https://fedoraproject.org/wiki/Changes/NodejsLibrariesBundleByDefault
> 
> == Summary ==
> 
> For Nodejs, Fedora should only package:
> * The interpreter, development headers/libraries, and the assorted
> tools to manage project-level installations (NPM, yarn, etc.).
> * Packages that provide binaries that users would want to use in their shell.
> * compiled/binary nodejs modules (for now)
> 
> == Owner ==
> 
> * Name: [[User:tdawson| Troy Dawson]]
> * Email: tdawson@xxxxxxxxxx
> * Name: [[User:sgallagh| Stephen Gallagher]]
> * Email: sgallagh@xxxxxxxxxx
> * Name: [[https://developer.fedoraproject.org/tech/languages/nodejs/SIG.html|
> Nodejs SIG]]
> * Email: nodejs@xxxxxxxxxxxxxxxxxxxxxxx
> 
> 
> == Detailed Description ==
> 
> The nodejs libraries have been approved to be bundled, and there is
> infrastructure in place for the bundling to work properly.  Currently,

What does this infrastructure look like? How does it help with
addressing security issues in the bundles components effectivly?

> it is recommended that packagers should create individual nodejs
> library packages instead of bundling all of the libraries into the
> package requiring them.

The subject says "Stop Shipping Individual Nodejs Library Packages",
therefore it would be more clear to block all Nodejs libraries in Fedora
instead of only recommending this. Otherwise it will be some half-baked
solution that is probably confusing (Why are some libraries packaged and
others bundled?).

> This change is to make it default to bundle the nodejs libraries with
> the package that needs them, and retire the vast majority of nodejs
> library packages.
> In summary, for Nodejs Fedora should only package:
> * The interpreter, development headers/libraries, and the assorted
> tools to manage project-level installations (NPM, yarn, etc.).
> * Packages that provide binaries that users would want to use in their shell.
> * compiled/binary nodejs modules (for now)

This should also include the tooling that is needed to manage the
bundling.


> == Feedback ==
> 
> There has been a discussion on the fedora nodejs mailing list about
> what to do with the extreme dependency problem of the nodejs library
> packages.  Because of the extreme inter-dependency, upgrading almost
> any package causes others to break.  It has caused most packages to
> rot, remaining on unsupported versions for years.  Many of the nodejs
> packagers are giving up and orphaning their packages, which has caused
> even more problems.
> 
> An initial proposal was to find all of the important nodejs library
> packages and bundle those, making them easier to upgrade and maintain.
> But there was problems with figuring out what was important, and what
> versions should those have.  During that discussion, this rather
> extreme solution of getting rid of all nodejs libraries was proposed.
> To our surprise, it has been the best received suggestion and fixes
> the most problems.

What problems remain?

> 
> == Benefit to Fedora ==
> 
> * In Fedora 33, there are many nodejs libraries that are
> uninstallable, thus causing other programs based off them to also be
> uninstallable.  This gets rid of that problem.
> * Packages in Fedora that use nodejs libraries will be able to use the
> library versions that upstream has tested and approved.
> * If a package in Fedora uses a nodejs library, the packager will not
> have to also package extra individual nodejs library packages.  There
> have been times this has led to over 100 extra packages, each with
> their own package reviews and maintenance problems.  This change will
> lower the workload on that packager, and possibly get more packages
> into Fedora.
> * The nodejs maintainers can concentrate on nodejs itself, instead of
> the whole nodejs library infrastructure.
> * Nodejs developers using Fedora will no longer have to worry about
> Fedora's global nodejs libraries causing conflicts or inconsistencies.
> 
> == Scope ==
> * Proposal owners:
> We will go through the Fedora release and determine what nodejs
> packages Fedora should package. We will implement nodejs library
> bundling on those we already own.  For those that we do not own, we
> will work with their owners to implement nodejs library bundling.

What about future packagers? How will they learn/be enabled to do it the
right way?

> As packages implement nodejs library bundling, we will monitor the
> nodejs libraries and note which ones are no longer required.  When
> they are no longer required, we will retire them, if we own them.  If
> we do not own them, we will work with the owners to retire them, if
> they wish.
> 
> * Other developers:
> For Fedora packagers whose package rely on nodejs libraries, please
> contact the [[https://developer.fedoraproject.org/tech/languages/nodejs/SIG.html|
> Nodejs SIG]] and we will help you find the easiest way to bundle your
> nodejs libraries.
> 
> For Fedora nodejs library packages, look to see what depends on your
> library.  If it looks like you can do so, retire your nodejs library.
> If you would like, give the
> [[https://developer.fedoraproject.org/tech/languages/nodejs/SIG.html|
> Nodejs SIG]] admin to your nodejs libraries, and they will work
> through the process for you.
> 
> * Release engineering: [https://pagure.io/releng/issues #Releng issue
> number] (a check of an impact with Release Engineering is needed)
> * Policies and guidelines: N/A (not a System Wide Change)
> * Trademark approval: N/A (not needed for this Change)
> * Alignment with Objectives:
> 
> 
> == Upgrade/compatibility impact ==
> N/A
> 
> 
> == How To Test ==
> 
> * Install all nodejs libraries in Fedora 33.  Try to update to Fedora 34.
> * Try to install all packages that require nodejs in Fedora 34.
> * Install all packages that require nodejs in Fedora 33.  Try to
> update to Fedora 34.

What are the recommended commands to do the testing?

> == User Experience ==
> non-developer end users should not see anything different.  Their
> nodejs binaries should continue to work.
> 
> Nodejs developers using Fedora will no longer have to worry about
> Fedora's global nodejs libraries causing conflicts or inconsistencies.
> 
> 
> == Dependencies ==
> As nodejs library packages are removed, we will work with the various
> packages that depend on them. We will help them bundle their nodejs
> libraries.
> 
> 
> == Contingency Plan ==
> Since we will be bundling the nodejs binaries, before we remove their
> current dependencies, we will simply stop where we are at the freeze.
> There will be nothing to back out.
> 
> * Contingency mechanism: N/A
> * Contingency deadline: N/A
> * Blocks release? N/A
> * Blocks product? N/A
> 
> == Documentation ==
> N/A (not a System Wide Change)

This new rule should be properly documented for packagers.

Thanks
Till
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux