On 12/10/21 6:56 AM, Sandro Mani wrote: > On 10.12.21 01:54, Demi Marie Obenour wrote: >> On 12/9/21 1:05 PM, Sandro Mani wrote: >>> On 09.12.21 17:31, Vitaly Zaitsev via devel wrote: >>>> On 09/12/2021 16:56, Sandro Mani wrote: >>>>> This does not appear to be accurate for nodejs packages - take i.e. >>>>> node-svgo, which compliant with the guidelines bundles node_modules >>>>> dir in svgo-2.8.0-nm-dev.tgz resp svgo-2.8.0-nm-prod.tgz. >>>> You can vendor only sources. No prebuilt assets are allowed. >>> Which would basically mean bundling the node_modules folder? >> No, it would mean bundling the source from which the stuff in >> node_modules is generated. > > Well this isn't what is the current nodejs packaging guidelines state > and as noted by Ben elsewhere in this thread would make it prohibitive > to package anything but the most trivial nodejs library. If some of the dependencies are unnecessary, the package maintainers could patch the code to not use them, and send the patches upstream. That said, this really needs to be solved at the NPM level, by having NPM packages include machine-extractable source code. In any case, node_modules is not source code, since it is not “the preferred form of the work for making modifications to it.” (quoting LGPLv2.1 here, but I believe Fedora uses an equivalent definition). The question then becomes whether it is more like bundling a prebuilt binary, which is not acceptable, or like the bundling of the output of lex, yacc, or pandoc in autotools-generated tarballs, which I consider fine. One distinction might be whether the output files are portable and can be automatically regenerated, which is invariably true in the latter case. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
