On Fri, Dec 10, 2021 at 12:57 PM Sandro Mani <manisandro@xxxxxxxxx> wrote: > > > On 10.12.21 01:54, Demi Marie Obenour wrote: > > On 12/9/21 1:05 PM, Sandro Mani wrote: > >> On 09.12.21 17:31, Vitaly Zaitsev via devel wrote: > >>> On 09/12/2021 16:56, Sandro Mani wrote: > >>>> This does not appear to be accurate for nodejs packages - take i.e. > >>>> node-svgo, which compliant with the guidelines bundles node_modules > >>>> dir in svgo-2.8.0-nm-dev.tgz resp svgo-2.8.0-nm-prod.tgz. > >>> You can vendor only sources. No prebuilt assets are allowed. > >> Which would basically mean bundling the node_modules folder? > > No, it would mean bundling the source from which the stuff in > > node_modules is generated. > > Well this isn't what is the current nodejs packaging guidelines state > and as noted by Ben elsewhere in this thread would make it prohibitive > to package anything but the most trivial nodejs library. Well, not even NodeJS packaging can ignore basic "legal" requirements (such as: not shipping pre-built binaries etc.). I always assumed that to be an implicit rule, which doesn't need to be repeated on every domain-specific Packaging Guidelines page ... So, if bundled / vendored dependencies contain objectionable content, those files needs to be removed, preferably before building the vendor tarball. If that's currently not the case, then NodeJS packaging is more broken than I thought. Fabio _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
