https://bugzilla.redhat.com/show_bug.cgi?id=1969450 Martin Pitt <mpitt@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mpitt@xxxxxxxxxx --- Comment #4 from Martin Pitt <mpitt@xxxxxxxxxx> --- > The license field should represent all the bundled JS too Agreed. Is that just an issue of a missing `%license` tag that points to dist/index.js.LICENSE.txt.gz ? (@Katerina -- we do that in c-podman) Or literally in "License:"? What is the syntax for multiple licenses there? (Our own code is LGPL, but bundled NPM modules are a wild mix of MIT, BSD, and many others) > That's why you predownload the node_modules amd cockpit lib in separate archives as shown in the SPEC file I provided you. Just to make sure, you mean this, right? > Source1: cockpit-lib.tar.gz > Source2: %{name}-%{version}-nm.tgz > Source3: %{name}-%{version}-bundled-licenses.txt > Source10: get-cockpit-lib.sh > Source11: packages-bundler.sh As Katerina already mentioned, we don't do that in any other cockpit package which is in Fedora, so doing that will take quite some time. But honestly it doesn't buy anyone anything, other than just a whole lot of busywork, and adding 350 MB of node_modules/ to an otherwise 1 MB tarball. Rebuilding the webpack from a static node_modules/ copy is completely reproducible, so taking the already built one is a *lot* more efficient, plus avoids transitive licensing/source code problems with "we have to redistribute 735 npmjs.com modules now" (as they are *also* prebuilt and not in preferred form of modification). A developer who wants to change something can just do that and run `make`, which will download everything according to package-lock.json. The original tarball *does* ship the source, it just ships the pre-built webpack in addition. I know that this situation sucks for distributions, that's just how the JS world looks like these days :-( > you must provide the unminified versions If you just mean our own source code: That's of course contained in the release tarballs. [If you mean the node_modules dependencies: No, we can't. `npm install`/npmjs.com packages/releases are also pre-built, and thus minified. Building *everything* from source would mean to track down several hundred projects from their upstreams, and building them first (and there is no automation that applies to all of them). This is completely impractical, but also I don't believe you actually meant that, as nothing in a distro gets built like that.] -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
