On Sun, 2021-01-31 at 18:42 -0500, Andrew Udvare wrote:
>
> Our best option is to treat Nodejs stuff the way we treat Rust and Go
> packages. Pretend Nodejs 'binaries' are 'built' statically and
> therefore, grab all the dependencies in the main package ebuild.
The only thing a package manager does for you is that it allows one
person (the Gentoo developer, in this case) to invest a little bit of
time to save everyone else (the Gentoo users) a lot of time. When
software has been packaged correctly, it integrates well with the rest
of the system, gets constant maintenance and security updates, and can
be managed from a central location in a consistent manner.
"Packaging" software like you describe isn't packaging it in this
sense. When you bundle everything together,
1. Nothing is shared between packages so build time and disk
usage skyrockets.
2. The number of updates and thus the amount of work required
also skyrockets, for the same reason: when nothing is shared, you
have to update each package whenever a dependency of a dependency
of a dependency... changes.
3. There are no security updates, ever. If you use anything written
in Rust or Go on Gentoo, or if you use anything that uses
anything written in Rust or Go, or..... it will NEVER get a
security update. No one even bothers looking for security
issues in these languages because the "find a bug then fix it"
algorithm is infeasible.
4. You do get to do updates with e.g. "emerge -puDN @world", but not
really, because no one is actually updating Gentoo packages every
time a dependency of a dependency changes.
So ultimately, there's little benefit and it introduces security
vulnerabilities to our users who might be better off just using NPM or
whatever (or using software written in a sane language).
