On Fri, Dec 11, 2020 at 9:32 AM Troy Dawson <tdawson@xxxxxxxxxx> wrote: > > On Fri, Dec 11, 2020 at 3:18 AM Till Maas <opensource@xxxxxxxxx> wrote: > > > > Hi, > > > > this does not seem to be self-contained, since it seems to affect people > > outside the SIG (it states that this is also affecting packages that are > > not owned by the SIG). > > > > On Wed, Dec 09, 2020 at 01:44:30PM -0500, Ben Cotton wrote: > > > https://fedoraproject.org/wiki/Changes/NodejsLibrariesBundleByDefault > > > > > > == Summary == > > > > > > For Nodejs, Fedora should only package: > > > * The interpreter, development headers/libraries, and the assorted > > > tools to manage project-level installations (NPM, yarn, etc.). > > > * Packages that provide binaries that users would want to use in their shell. > > > * compiled/binary nodejs modules (for now) > > > > > > == Owner == > > > > > > * Name: [[User:tdawson| Troy Dawson]] > > > * Email: tdawson@xxxxxxxxxx > > > * Name: [[User:sgallagh| Stephen Gallagher]] > > > * Email: sgallagh@xxxxxxxxxx > > > * Name: [[https://developer.fedoraproject.org/tech/languages/nodejs/SIG.html| > > > Nodejs SIG]] > > > * Email: nodejs@xxxxxxxxxxxxxxxxxxxxxxx > > > > > > > > > == Detailed Description == > > > > > > The nodejs libraries have been approved to be bundled, and there is > > > infrastructure in place for the bundling to work properly. Currently, > > > > What does this infrastructure look like? How does it help with > > addressing security issues in the bundles components effectivly? > > > > > it is recommended that packagers should create individual nodejs > > > library packages instead of bundling all of the libraries into the > > > package requiring them. > > > > The subject says "Stop Shipping Individual Nodejs Library Packages", > > therefore it would be more clear to block all Nodejs libraries in Fedora > > instead of only recommending this. Otherwise it will be some half-baked > > solution that is probably confusing (Why are some libraries packaged and > > others bundled?). > > > > > This change is to make it default to bundle the nodejs libraries with > > > the package that needs them, and retire the vast majority of nodejs > > > library packages. > > > In summary, for Nodejs Fedora should only package: > > > * The interpreter, development headers/libraries, and the assorted > > > tools to manage project-level installations (NPM, yarn, etc.). > > > * Packages that provide binaries that users would want to use in their shell. > > > * compiled/binary nodejs modules (for now) > > > > This should also include the tooling that is needed to manage the > > bundling. > > > > > > > == Feedback == > > > > > > There has been a discussion on the fedora nodejs mailing list about > > > what to do with the extreme dependency problem of the nodejs library > > > packages. Because of the extreme inter-dependency, upgrading almost > > > any package causes others to break. It has caused most packages to > > > rot, remaining on unsupported versions for years. Many of the nodejs > > > packagers are giving up and orphaning their packages, which has caused > > > even more problems. > > > > > > An initial proposal was to find all of the important nodejs library > > > packages and bundle those, making them easier to upgrade and maintain. > > > But there was problems with figuring out what was important, and what > > > versions should those have. During that discussion, this rather > > > extreme solution of getting rid of all nodejs libraries was proposed. > > > To our surprise, it has been the best received suggestion and fixes > > > the most problems. > > > > What problems remain? > > > > > > > > == Benefit to Fedora == > > > > > > * In Fedora 33, there are many nodejs libraries that are > > > uninstallable, thus causing other programs based off them to also be > > > uninstallable. This gets rid of that problem. > > > * Packages in Fedora that use nodejs libraries will be able to use the > > > library versions that upstream has tested and approved. > > > * If a package in Fedora uses a nodejs library, the packager will not > > > have to also package extra individual nodejs library packages. There > > > have been times this has led to over 100 extra packages, each with > > > their own package reviews and maintenance problems. This change will > > > lower the workload on that packager, and possibly get more packages > > > into Fedora. > > > * The nodejs maintainers can concentrate on nodejs itself, instead of > > > the whole nodejs library infrastructure. > > > * Nodejs developers using Fedora will no longer have to worry about > > > Fedora's global nodejs libraries causing conflicts or inconsistencies. > > > > > > == Scope == > > > * Proposal owners: > > > We will go through the Fedora release and determine what nodejs > > > packages Fedora should package. We will implement nodejs library > > > bundling on those we already own. For those that we do not own, we > > > will work with their owners to implement nodejs library bundling. > > > > What about future packagers? How will they learn/be enabled to do it the > > right way? > > > > > As packages implement nodejs library bundling, we will monitor the > > > nodejs libraries and note which ones are no longer required. When > > > they are no longer required, we will retire them, if we own them. If > > > we do not own them, we will work with the owners to retire them, if > > > they wish. > > > > > > * Other developers: > > > For Fedora packagers whose package rely on nodejs libraries, please > > > contact the [[https://developer.fedoraproject.org/tech/languages/nodejs/SIG.html| > > > Nodejs SIG]] and we will help you find the easiest way to bundle your > > > nodejs libraries. > > > > > > For Fedora nodejs library packages, look to see what depends on your > > > library. If it looks like you can do so, retire your nodejs library. > > > If you would like, give the > > > [[https://developer.fedoraproject.org/tech/languages/nodejs/SIG.html| > > > Nodejs SIG]] admin to your nodejs libraries, and they will work > > > through the process for you. > > > > > > * Release engineering: [https://pagure.io/releng/issues #Releng issue > > > number] (a check of an impact with Release Engineering is needed) > > > * Policies and guidelines: N/A (not a System Wide Change) > > > * Trademark approval: N/A (not needed for this Change) > > > * Alignment with Objectives: > > > > > > > > > == Upgrade/compatibility impact == > > > N/A > > > > > > > > > == How To Test == > > > > > > * Install all nodejs libraries in Fedora 33. Try to update to Fedora 34. > > > * Try to install all packages that require nodejs in Fedora 34. > > > * Install all packages that require nodejs in Fedora 33. Try to > > > update to Fedora 34. > > > > What are the recommended commands to do the testing? > > > > > == User Experience == > > > non-developer end users should not see anything different. Their > > > nodejs binaries should continue to work. > > > > > > Nodejs developers using Fedora will no longer have to worry about > > > Fedora's global nodejs libraries causing conflicts or inconsistencies. > > > > > > > > > == Dependencies == > > > As nodejs library packages are removed, we will work with the various > > > packages that depend on them. We will help them bundle their nodejs > > > libraries. > > > > > > > > > == Contingency Plan == > > > Since we will be bundling the nodejs binaries, before we remove their > > > current dependencies, we will simply stop where we are at the freeze. > > > There will be nothing to back out. > > > > > > * Contingency mechanism: N/A > > > * Contingency deadline: N/A > > > * Blocks release? N/A > > > * Blocks product? N/A > > > > > > == Documentation == > > > N/A (not a System Wide Change) > > > > This new rule should be properly documented for packagers. > > > > Thanks > > Till > > I agree with you on all your points of documentation. > This needs to be documented better, including notes for new packagers, > and have example scripts. > And the Documentation section needs to point to that documentation. > I am working on this right now. > > Troy Sorry this took so long. A pull request has been created to update the Node.js Packaging Guidelines. https://pagure.io/packaging-committee/pull-request/1034 Documentation section has been updated to point to the Packaging Guidelines, along with the pull request. Troy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
