From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:55032) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jIkHu-0003oV-NK for guix-patches@gnu.org; Sun, 29 Mar 2020 22:36:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jIkHt-0003he-MM for guix-patches@gnu.org; Sun, 29 Mar 2020 22:36:30 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:48650) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1jIkHt-0003hW-Hs for guix-patches@gnu.org; Sun, 29 Mar 2020 22:36:29 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jIkHt-0004iz-FB for guix-patches@gnu.org; Sun, 29 Mar 2020 22:36:29 -0400 Subject: [bug#39765] Add package JupyterLab Resent-Message-ID: From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20200224101810.GA9010@zpidnp36> <87d08y915t.fsf@gnu.org> <20200327073027.GA4578@zpidnp36> Date: Sun, 29 Mar 2020 16:37:11 +0200 In-Reply-To: <20200327073027.GA4578@zpidnp36> (Lars-Dominik Braun's message of "Fri, 27 Mar 2020 08:30:27 +0100") Message-ID: <87ftdr1b3c.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Lars-Dominik Braun Cc: 39765@debbugs.gnu.org Hi, Lars-Dominik Braun skribis: >> #2 should be quite easy to address: we could arrange to have that >> feature disabled by default, so that users don=E2=80=99t find themselves >> unknowingly downloading arbitrary code from npm. > it=E2=80=99s =E2=80=9Cdisabled=E2=80=9D by default, because it is conside= red experimental in this > version of JupyterLab. But a user can re-enable it. And the last part is > entirely client-side, so we cannot disable it completely until we fix #1. > >> #1 is a showstopper. :-/ I suppose that=E2=80=99s a lot of code that w= ould >> need to be imported from npm, right? > `jupyter build` downloads about 600 NPM packages, as far as I remember. OK. >> That said, it=E2=80=99s a big patch, so it would be even better if we di= dn=E2=80=99t >> have to carry it. Will the next version of =E2=80=98notebook=E2=80=99 i= nclude it? > Does not look like it. The pull request[1] has been open for a few months= now. > It=E2=80=99s vital to our use-case and (probably) everyone hosting notebo= oks, but not > very useful to the casual home user. So, executive decision: Do you want = it in > guix proper? I=E2=80=99ll just maintain it in my channel[2] otherwise. (It=E2=80=99s not about what I personally want or don=E2=80=99t want, of co= urse. :-)) In general, the guideline is to have patches that are either included upstream, just not in a published release, or are Guix-specific and thus are not meant to be included upstream. This patch doesn=E2=80=99t seem to fall in any of these two categories, so I would prefer not to have it, at least not until upstream has included it. WDYT? Thanks, Ludo=E2=80=99.