From mboxrd@z Thu Jan  1 00:00:00 1970
From: Pjotr Prins <pjotr.public12@thebird.nl>
Subject: Re: NPM and trusted binaries
Date: Fri, 9 Sep 2016 11:26:24 +0200
Message-ID: <20160909092624.GA817@thebird.nl>
References: <CAPsKtfLY80iEU8NF_Xh4f0gKy=NiDnksLPgdPfTrU9vEW+OGCQ@mail.gmail.com>
	<877farzrdl.fsf@gnu.org>
	<CAJ=RwfYtsgLVn3RKy69oB5w1T6f56Jfvioghg3Wev1T3vQX0qA@mail.gmail.com>
	<20160906165048.GC18454@thebird.nl> <87bmzzkt2d.fsf@gnu.org>
	<87eg4uwzi2.fsf@gnu.org> <87y432jo2b.fsf@gnu.org>
	<877famw4jn.fsf@gnu.org> <8760q5j4lh.fsf@gnu.org>
	<871t0ta2bs.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38901)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <wrk@mail.thebird.nl>) id 1biI5c-000860-1Z
	for guix-devel@gnu.org; Fri, 09 Sep 2016 05:27:21 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <wrk@mail.thebird.nl>) id 1biI5X-00049G-1j
	for guix-devel@gnu.org; Fri, 09 Sep 2016 05:27:15 -0400
Content-Disposition: inline
In-Reply-To: <871t0ta2bs.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@gnu.org>
Cc: guix-devel <guix-devel@gnu.org>

On Fri, Sep 09, 2016 at 10:45:43AM +0200, Ludovic Court=C3=A8s wrote:
=20
> Yes, that=E2=80=99s a serious concern.  Maybe all we can reasonably hop=
e to
> achieve is to provide a core subset of the free NPM packages in Guix
> proper, built from source.
>=20
> People may still end up using automatically-generated, unchecked
> packages for the rest.  Nevertheless, that would be an improvement over
> the status quo.
>=20
> (PyPI, Hackage, CPAN, and CRAN seem to be less problematic in this
> regard, maybe because they are =E2=80=9Cculturally closer=E2=80=9D to t=
he free software
> movement.)

Not quite true, though there are generally less dependencies to deal
with. I still install packages using those language systems -
especially with Ruby, R, D and Elixir. It does not matter. Once I want
robustness I make sure to package in Guix. npm is just the worst of
the lot because of the sheer size, stupidity and circular
dependencies.

We should really think a bit harder about the transitional phase.
Also, software development goes faster in general than that we can
package.=20

My take is that GNU Guix proper should be lean, mean and robust. That
way we can maintain and rely on stuff.=20

For the more experimental packages and other 'solutions' we ought to
depend on channels - or distributed package sources. These need not
take the purist view.

Pj.