From mboxrd@z Thu Jan  1 00:00:00 1970
From: swedebugia <swedebugia@riseup.net>
Subject: NPM importer - tarballs - SWH - commit ids
Date: Wed, 28 Nov 2018 12:26:13 +0100
Message-ID: <fda74308-64ed-a12e-430c-7087e6b1ad39@riseup.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42195)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <swedebugia@riseup.net>) id 1gRxtK-000241-RW
	for guix-devel@gnu.org; Wed, 28 Nov 2018 06:20:27 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <swedebugia@riseup.net>) id 1gRxtI-00067V-21
	for guix-devel@gnu.org; Wed, 28 Nov 2018 06:20:26 -0500
Received: from mx1.riseup.net ([198.252.153.129]:60856)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <swedebugia@riseup.net>)
	id 1gRxtH-0005lz-RK
	for guix-devel@gnu.org; Wed, 28 Nov 2018 06:20:23 -0500
Received: from piha.riseup.net (piha-pn.riseup.net [10.0.1.163])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "*.riseup.net",
	Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
	by mx1.riseup.net (Postfix) with ESMTPS id C00361A0182
	for <guix-devel@gnu.org>; Wed, 28 Nov 2018 03:20:11 -0800 (PST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by piha.riseup.net with ESMTPSA id 2C2891F371E
	for <guix-devel@gnu.org>; Wed, 28 Nov 2018 03:20:10 -0800 (PST)
Content-Language: en-US
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel <guix-devel@gnu.org>

Hi

I looked closer at the json output from npmregistry and found that they 
host tarballs and give the url for every version in the json response.
("tarball" . "url").

All the npm packages I ever looked at (100 or so of the biggest and 
dependencies of those) was hosted on Github.

I have a few questions regarding the wealth of information available 
from this registry

1) Does anyone know if these tarballs are reproducible? ie do they 
change over time?

2) Can we use the gpg signature for something?

3) SWH gives us tarballs according to commit ids. If we use npm-tarballs 
we can store the commit in the json response (or look it up with the 
github api) as a property:
  (properties
`((commit . hash)))

Any thoughts?

-- 
Cheers Swedebugia