From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Lepiller Subject: Re: NPM importer Date: Wed, 21 Nov 2018 18:15:03 +0100 Message-ID: References: <87ftw7r14u.fsf@gnu.org> <878t1m1j57.fsf@roquette.mug.biscuolo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34999) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gPW5r-0006ZM-JC for guix-devel@gnu.org; Wed, 21 Nov 2018 12:15:16 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gPW5j-0004Uo-R0 for guix-devel@gnu.org; Wed, 21 Nov 2018 12:15:15 -0500 Received: from lepiller.eu ([2a00:5884:8208::1]:36802) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gPW5i-0004RB-96 for guix-devel@gnu.org; Wed, 21 Nov 2018 12:15:07 -0500 In-Reply-To: <878t1m1j57.fsf@roquette.mug.biscuolo.net> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Giovanni Biscuolo Cc: guix-devel@gnu.org Le 2018-11-21 17:37, Giovanni Biscuolo a écrit : > ludo@gnu.org (Ludovic Courtès) writes: > > [...] > >> Yes, this was the topic of a GSoC project by Jelle Licht (Cc’d). But >> don’t hold your breath: as Chris Webber explained, the npm situation >> is >> very hard to address sanely: >> >> http://dustycloud.org/blog/javascript-packaging-dystopia/ > > (semi OT: today Debian ships a recent jquery 3.2.1) > > I'm not an expert in js (nor guix) packaging so I'm not able to judge > this: > > https://spin.atomicobject.com/2016/12/16/reproducible-builds-npm-yarn/ > > is yarn a viable solution to the NPM packaging problems? > > can we achieve reproducible builds ala guix with a yarn importer and > some amount of yarn packages downloading/automation and offline > mirroring? How different is it to build an npm package and a yarn package? Could you elaborate a bit on your idea? We can already build packages with our wip node-build-system, as long as we have build- and run-time dependencies available. The real hard parts are: sometimes build-tools depend on what they build, there is just too many dependencies and some packages don't declare a license properly. For instance, grunt is a build tool for node packages; it has 179 dependencies at runtime (including recursive dependencies). All of them need to be built before grunt can be run. What's the chance that none of them require grunt? I haven't taken the time to look at these dependencies, so maybe I'm pessimistic with no good reason. Another instance is application-config-path that declares its license only in the Makefile, in the form of "License: MIT". Do we consider this free software? Now if yarn has some build recipes and has taken the time to make this whole mess more manageable, I'm all for a yarn importer. Otherwise, it's just another source of package information, which is fine, but npm seems to do the job already. > > Ciao > Giovanni > > P.S.: why > > -- > Giovanni Biscuolo > > Xelera IT Infrastructures