On Fri, Aug 4, 2017 at 10:43 AM Troy Dawson <tdaw...@redhat.com> wrote:

> On Fri, Aug 4, 2017 at 6:48 AM, Stuart D Gathman <stu...@gathman.org>
> wrote:
> > I've started working on packaging scuttlebot for Fedora.  I see that we
> now have a Fedora package for every nodejs module.  This makes it easy to
> map directories in node_modules to package names - however, it means
> submitting hundreds of packages to ever get scuttlebot submitted.
> >
> > I'm wondering if there is a better way.  A node module typically
> corresponds to a .o file in a C library (with exceptions like libsodium).
> It is like having a separate package for every function in glibc.  Suppose
> we did this:
> >
> > 1) a nodejs-stdlib that includes all the common modules (a list to be
> argued over at length :-) ).  There is no penalty other than a small amount
> of disk space for unused modules - just like with a C library.
> >
> > 2) other multi-module systems are combined - usually including all
> modules with the same first word.  For instance, all the pull stream
> modules begin with 'pull': pull-abortable, pull-box-stream, pull-cat,
> pull-cont, etc.  This would become nodejs-pull, and include all the pull
> modules.
> >
> > When the package name matches the first word of the module name, then
> determining the package is still easy.  When that is not the case, as with
> the proposed nodejs-stdlib, then dnf can still search for npm(...)
> Although this looks tempting, it's only looking at half the problem.
> Versions
> Nodejs modules get updated all the time, at different rates for
> different packages.
> If you had just one package for many modules, it would be getting
> updated at an alarming rate.

I think the better approach is carefully-controlled bundling in Fedora. As
of a couple years ago, it is now permissible to bundle software together in
Fedora if it meets certain conditions:
1) If the dependency is already packaged in Fedora and this software is
compatible with that version, then this software must link against the
unbundled version.
2) If the dependency is not yet packaged in Fedora but is likely to be
useful to large amounts of Fedora software, it is strongly encouraged that
it be packaged separately.
3) Other dependencies MAY be carried internally by the package that needs
them, but that package MUST include `Provides: bundled(npm(modulename)) =

Rule 3) is so that if there is a security vulnerability in npm(modulename),
we can find any and all software that is required to be updated.

I haven't had any time to work on it, but I'd very much like to develop an
automatic RPM dependency generator that will recurse down the node_modules
directories, read their package.json files and automatically create those
Provides. If anyone else wants to take a crack at doing that, it would be
an immense help.
nodejs mailing list -- nodejs@lists.fedoraproject.org
To unsubscribe send an email to nodejs-le...@lists.fedoraproject.org

Reply via email to