How to handle nodejs bundling with native compiled modules ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm working on packaging where one component is written in nodejs.
The Fedora packaging guidelines are pretty explicit that I should
be bundling all the 3rd party nodejs 

  https://docs.fedoraproject.org/en-US/packaging-guidelines/Node.js

 "You can provide a package that uses nodejs, but you should bundle
  all the nodejs libraries that are needed."

The recommended 'nodejs-packaging-bundler' script is a wrapper around
'npm install' which then creates tarballs from the node_modules
subtree containing the *installed* dependencies.

On the surface that looks fine, but in my case I noticed that the
tarballs contained a bunch of .a and .o files. Looking further
there are also .node files, which appear to be just .so files,
with a changed file extension.

What's happened is that one (or more) of the dependencies are
native nodejs modules (ffi-napi in particular), are not pure JS,
and as a result compilers get involved.

Since maintainers run 'nodejs-packaging-bundler' on their local dev
machine, we're running compilation on this dev machine, with whatever
toolchain is present. The maintainer then uploads this to the lookaside
cache.

This is obviously not good, as any compilation tasks must take place
inside koji with known toolchains used.


I'm wondering how to deal with this ?

A first step would be patching nodejs-packaging-bundler script to
look for any .a, .o and .node files, and exclude them from the
tarball.

The spec would then have to manually run 'node-gyp' to re-create
the .node files. That is probably sufficient to avoid this particular
problem.


More generally though I'm concerned that using 'npm install' in the
'nodejs-packaging-bundler' tool to create deps bundles is a flawed
conceptual approach.

The result of 'npm install' is not a pristine source tree, it is
something that is derived from the source tree in some manner.

Even if no native toolchain is used, IIUC, the package.json file
can request execution of arbirary scripts which get triggered by
'npm install'. We surely want all this to be run in a known
environment, not the maintainer's local machine ?

I would think for bundling nodejs deps, we want to be downloading
all the pristine tarballs for each package, and then run 'npm install'
against this set of tarballs during %build ?

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux