On 12/18/21 3:04 AM, Andreas Schneider wrote: > On Thursday, 16 December 2021 23:59:23 CET Demi Marie Obenour wrote: >> On 12/10/21 6:56 AM, Sandro Mani wrote: >>> On 10.12.21 01:54, Demi Marie Obenour wrote: >>>> On 12/9/21 1:05 PM, Sandro Mani wrote: >>>>> On 09.12.21 17:31, Vitaly Zaitsev via devel wrote: >>>>>> On 09/12/2021 16:56, Sandro Mani wrote: >>>>>>> This does not appear to be accurate for nodejs packages - take i.e. >>>>>>> node-svgo, which compliant with the guidelines bundles node_modules >>>>>>> dir in svgo-2.8.0-nm-dev.tgz resp svgo-2.8.0-nm-prod.tgz. >>>>>> >>>>>> You can vendor only sources. No prebuilt assets are allowed. >>>>> >>>>> Which would basically mean bundling the node_modules folder? >>>> >>>> No, it would mean bundling the source from which the stuff in >>>> node_modules is generated. >>> >>> Well this isn't what is the current nodejs packaging guidelines state >>> and as noted by Ben elsewhere in this thread would make it prohibitive >>> to package anything but the most trivial nodejs library. >> >> If some of the dependencies are unnecessary, the package maintainers >> could patch the code to not use them, and send the patches upstream. >> That said, this really needs to be solved at the NPM level, by having >> NPM packages include machine-extractable source code. >> >> In any case, node_modules is not source code, since it is not “the >> preferred form of the work for making modifications to it.” (quoting >> LGPLv2.1 here, but I believe Fedora uses an equivalent definition). >> The question then becomes whether it is more like bundling a prebuilt >> binary, which is not acceptable, or like the bundling of the output >> of lex, yacc, or pandoc in autotools-generated tarballs, which I >> consider fine. One distinction might be whether the output files are >> portable and can be automatically regenerated, which is invariably >> true in the latter case. > > I don't see a problem if the node modules don't ship prebuilt libraries or > binaries. If you look at my scripts they remove all of this. > > https://src.fedoraproject.org/rpms/nodejs-bash-language-server/blob/rawhide/f/prepare_vendor.sh#_55 As long as everything left is in fact (human-editable) source code, this is fine. This excludes both minified JavaScript and the output of TypeScript, Babel, or other transpilers. All of those would need to be run during the package build. I looked at the nodejs-back-language-server source package and it does not meet this requirement. The file .package-cache/v6/npm-object-assign-4.1.0-968bf1100d7956bb3ca086f006f846b3bc4008da-integrity/node_modules/object.assign/dist/browser.js in the vendor tarball is obviously transpiler or bundler output. There are also several .min.js files and source maps, none of which should be present in a Fedora source package. This was just a cursory inspection; I would expect a thorough review before a new package is uploaded. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
