Re: Minified JS and CSS in Node packages
On 03/07/2023 17:09, Demi Marie Obenour wrote: On 7/3/23 11:59, Tom Hughes wrote: On 03/07/2023 16:41, Demi Marie Obenour wrote: Would it be possible to ensure that Node packages contain only actual source code, as in “the preferred form for making modifications” (quote from GNU GPL, I forget which version)? The simple answer is maybe in principle but in practice it's very hard as numerous previous threads will tell you. The tar balls from the npmjs registry which constitute the released versions of node packages frequently contain such things often without the original source or any of the tooling to build from it. The alternative is packaging from the upstream git but even then, and even if it is well maintained with version tags, there are often huge dependency chains to get all the tools needed to actually do the builds. I thought Fedora policy required shipping actual source code, in which case this alternative is the only option allowed. Yes you're right, and there's long been a question of exactly what constitutes that with javascript packages. When I was packaging and reviewing Node stuff I certainly tried to do so where it was in any way feasible. Minimisers weren't usually too bad - you can always just skip them after all - but once you start dealing with transpilers it can get a lot harder plus you often wind up having to write your own build script because the upstream one is using one of a dozen different Node based tools each of which has hundreds of dependent modules you would need to package. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Minified JS and CSS in Node packages
On 7/3/23 11:59, Tom Hughes wrote: > On 03/07/2023 16:41, Demi Marie Obenour wrote: > >> Would it be possible to ensure that Node packages contain only actual source >> code, as in “the preferred form for making modifications” (quote from GNU >> GPL, >> I forget which version)? > > The simple answer is maybe in principle but in practice it's > very hard as numerous previous threads will tell you. > > The tar balls from the npmjs registry which constitute the > released versions of node packages frequently contain such > things often without the original source or any of the tooling > to build from it. > > The alternative is packaging from the upstream git but even > then, and even if it is well maintained with version tags, there > are often huge dependency chains to get all the tools needed to > actually do the builds. I thought Fedora policy required shipping actual source code, in which case this alternative is the only option allowed. -- Sincerely, Demi Marie Obenour (she/her/hers) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Minified JS and CSS in Node packages
On 03/07/2023 16:41, Demi Marie Obenour wrote: Would it be possible to ensure that Node packages contain only actual source code, as in “the preferred form for making modifications” (quote from GNU GPL, I forget which version)? The simple answer is maybe in principle but in practice it's very hard as numerous previous threads will tell you. The tar balls from the npmjs registry which constitute the released versions of node packages frequently contain such things often without the original source or any of the tooling to build from it. The alternative is packaging from the upstream git but even then, and even if it is well maintained with version tags, there are often huge dependency chains to get all the tools needed to actually do the builds. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Minified JS and CSS in Node packages
Looking at the source to llparse reveals that it contains minified versions of lodash, source-map, js-yaml, diff, and snprintf-js. The corresponding source code also appears to be present, but my understanding of Fedora policy is that the minified versions should not be in a Fedora source package. I suspect other packages in the Node ecosystem have the same problem. Would it be possible to ensure that Node packages contain only actual source code, as in “the preferred form for making modifications” (quote from GNU GPL, I forget which version)? -- Sincerely, Demi Marie Obenour (she/her/hers) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue