From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: jquery 3.1.1 Date: Fri, 20 Jan 2017 22:14:42 +0100 Message-ID: <87y3y5mo1p.fsf@gnu.org> References: <874m0u8dx0.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49645) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cUgWK-0006aB-J0 for guix-devel@gnu.org; Fri, 20 Jan 2017 16:14:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cUgWF-0001m3-Iz for guix-devel@gnu.org; Fri, 20 Jan 2017 16:14:52 -0500 In-Reply-To: <874m0u8dx0.fsf@gnu.org> (Mike Gerwitz's message of "Fri, 20 Jan 2017 01:04:59 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mike Gerwitz Cc: guix-devel Hey, Mike Gerwitz skribis: > On Thu, Jan 19, 2017 at 21:48:44 +0100, Catonano wrote: >> Anyway, now I have a COMPLETE graph of the dependencies of jquery 3.1.1 >> >> It's made of >> 47311 vertices and >> 324569 edges > > lol... > >> Anyway, these broken packages pose a challenge to the mission of porting >> Jquery into Guix, in my opinion, > > My greater concern is verifying licenses: that'd have to be considered > in the DAG (...I hope it's a DAG; who knows what those node packages > might be doing!) to flag potential problems. The JS community is pretty > lax on licensing (in both the permissive sense and the I-don't-care > sense); the license might not be correct or might be missing > entirely. Or might not match what's in the source files. > > Verifying that many dependencies is going to be a challenge for an > automated system; we'd want humans to look at many of them too to make > sure things aren't fishy. :x The problem is that one single dependency > that's mischaracterized as free---even if it's one of the > single-function packages---can destroy an entire project (e.g. jQuery). Indeed, that=E2=80=99s terrible. (One could argue that single-function packages are =E2=80=9Ctrivial=E2=80= =9D from a copyright standpoint. Then the subset of the npm repo containing those trivial packages could be viewed as a database of =E2=80=9Cfacts=E2=80=9D (= which, in some jurisdiction, is covered by a =E2=80=9Csui generis=E2=80=9D right disj= oint from copyright.)) >> One last fun fact: while I was watching the output flowing in my termina= l, >> I saw a package called >> >> "broccoli-funnel" > > Ah, they missed a really good logo opportunity! :-) Ludo=E2=80=99.