[Pkg-javascript-devel] script to generate debian/watch for embedding nodejs modules
Xavier
yadd at debian.org
Mon Nov 26 15:55:33 GMT 2018
Le 26/11/2018 à 16:29, Xavier a écrit :
> Le 26/11/2018 à 15:55, Paolo Greppi a écrit :
>> I am thinking of using this approach:
>> https://wiki.debian.org/Javascript/GroupSourcesTutorial
>> to embed the modules required for yarkpkg.
>>
>> I have created a Python script to automatically generate required the debian/watch file:
>> https://salsa.debian.org/paolog-guest/create-bundled-watch
>> (to use it, modify the data dictionary as required and invoke it)
>>
>> Running uscan on the generated yarnpkg debian/watch file, it spits out a bunch of tar errors but also successfully downloads these files:
>>
>> ..
>>
>> The file names are crazy ! is this the way the Debian JavaScript Maintainers team wants to go ?
>> If you are brave, generate the debian/watch for npm and try running uscan on it ...
>
> Hi all,
>
> new uscan provides a way to avoid part of this (fakeupstream.cgi was
> used to workaround old-uscan). See below.
>
> Embedding components without following them may be a lack of security. I
> think we should have a policy for embedding:
> - components without major risks => not used in version
> - components that must be followed => declared as "group" in
> debian/watch
> - components that must be followed and used in many other packages
> => packaged separately
>
> Example with node-mongodb (accepted by ftpmaster), 3 "group" components.
> It is easy to add non followed component (replace "group" by "ignore"):
>
> # debian/watch:
> opts="searchmode=plain,pgpmode=none" \
> https://registry.npmjs.org/mongodb
> https://registry.npmjs.org/mongodb/-/mongodb-(\d[\d\.]*)@ARCHIVE_EXT@ group
>
> opts="searchmode=plain,pgpmode=none,component=bson" \
> https://registry.npmjs.org/bson
> https://registry.npmjs.org/bson/-/bson-(\d[\d\.]*)@ARCHIVE_EXT@ group
>
> opts="searchmode=plain,pgpmode=none,component=mongodb-core" \
> https://registry.npmjs.org/mongodb-core
> https://registry.npmjs.org/mongodb-core/-/mongodb-core-(\d[\d\.]*)@ARCHIVE_EXT@
> group
>
> opts="searchmode=plain,pgpmode=none,component=requireoptional" \
> https://registry.npmjs.org/require_optional
> https://registry.npmjs.org/require_optional/-/require_optional-(\d[\d\.]*)@ARCHIVE_EXT@
> group
>
> # uscan result:
> bson-4.0.0.tgz
> mongodb-3.1.10.tgz
> mongodb-core-3.1.9.tgz
> node-mongodb/
> node-mongodb_3.1.10+~4.0.0+~3.1.9+~1.0.1.orig-bson.tar.gz
> -> bson-4.0.0.tgz
> node-mongodb_3.1.10+~4.0.0+~3.1.9+~1.0.1.orig-mongodb-core.tar.gz
> -> mongodb-core-3.1.9.tgz
> node-mongodb_3.1.10+~4.0.0+~3.1.9+~1.0.1.orig-requireoptional.tar.gz
> -> require_optional-1.0.1.tgz
> node-mongodb_3.1.10+~4.0.0+~3.1.9+~1.0.1.orig.tar.gz
> -> mongodb-3.1.10.tgz
> require_optional-1.0.1.tgz
>
>
> In this case, require_optional may be declared as "ignore". This gives:
>
> bson-4.0.0.tgz
> mongodb-3.1.10.tgz
> mongodb-core-3.1.9.tgz
> node-mongodb/
> node-mongodb_3.1.10+~4.0.0+~3.1.9.orig-bson.tar.gz
> -> bson-4.0.0.tgz
> node-mongodb_3.1.10+~4.0.0+~3.1.9.orig-mongodb-core.tar.gz
> -> mongodb-core-3.1.9.tgz
> node-mongodb_3.1.10+~4.0.0+~3.1.9.orig-requireoptional.tar.gz
> -> require_optional-1.0.1.tgz
> node-mongodb_3.1.10+~4.0.0+~3.1.9.orig.tar.gz
> -> mongodb-3.1.10.tgz
> require_optional-1.0.1.tgz
>
>
> Looks acceptable IMO
Policy update:
- components used only during build => not used in version
(except if they inject some code)
- components without major risks => not used in version
- components that must be followed => declared as "group" in
debian/watch
- components that must be followed and used in many other packages
=> packaged separately
Note: I wrote this to help js-team and decrease time to wait in NEW
queue. If you feel that "crazy", please simply delete
https://wiki.debian.org/Javascript/GroupSourcesTutorial and the links to
this page.
I you don't want to do it by yourself, I can remove the page for you.
Just ask me to do it.
Cheers,
Xavier
More information about the Pkg-javascript-devel
mailing list