I'm working on packaging where one component is written in nodejs. The Fedora packaging guidelines are pretty explicit that I should be bundling all the 3rd party nodejs https://docs.fedoraproject.org/en-US/packaging-guidelines/Node.js "You can provide a package that uses nodejs, but you should bundle all the nodejs libraries that are needed." The recommended 'nodejs-packaging-bundler' script is a wrapper around 'npm install' which then creates tarballs from the node_modules subtree containing the *installed* dependencies. On the surface that looks fine, but in my case I noticed that the tarballs contained a bunch of .a and .o files. Looking further there are also .node files, which appear to be just .so files, with a changed file extension. What's happened is that one (or more) of the dependencies are native nodejs modules (ffi-napi in particular), are not pure JS, and as a result compilers get involved. Since maintainers run 'nodejs-packaging-bundler' on their local dev machine, we're running compilation on this dev machine, with whatever toolchain is present. The maintainer then uploads this to the lookaside cache. This is obviously not good, as any compilation tasks must take place inside koji with known toolchains used. I'm wondering how to deal with this ? A first step would be patching nodejs-packaging-bundler script to look for any .a, .o and .node files, and exclude them from the tarball. The spec would then have to manually run 'node-gyp' to re-create the .node files. That is probably sufficient to avoid this particular problem. More generally though I'm concerned that using 'npm install' in the 'nodejs-packaging-bundler' tool to create deps bundles is a flawed conceptual approach. The result of 'npm install' is not a pristine source tree, it is something that is derived from the source tree in some manner. Even if no native toolchain is used, IIUC, the package.json file can request execution of arbirary scripts which get triggered by 'npm install'. We surely want all this to be run in a known environment, not the maintainer's local machine ? I would think for bundling nodejs deps, we want to be downloading all the pristine tarballs for each package, and then run 'npm install' against this set of tarballs during %build ? With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
