[Pkg-javascript-devel] Draft to embed more than one Node module in a Debian package
Moritz Mühlenhoff
jmm at inutil.org
Tue Sep 18 20:08:21 BST 2018
On Thu, Sep 13, 2018 at 11:59:20AM +0200, Xavier wrote:
> Ref:
>
> Hi all,
>
> Ftpmasters want to reduce node packages in NEW queue [1]. Extract:
>
> "node packages are rather small and often consist only of a few lines
> of code. From my point of view it is very unlikely that such packages
> will change over time, so their code will remain constant forever.
> More likely upstreams will add new features and pay no attention to
> backward compatible APIs.
>
> In the node ecosystem everything is fine. Their developers use carets
> or tildes as dependency operators and just depened on the version of
> the API they really need.
>
> In Debian such packages basically create two problems. They bloat the
> packages file, which prolongs the process of installing or updating
> packages. Further Debian only allows packages with one, the latest,
> version in the archive. So uploading packages with the newer API would
> make packages unusable, that still depend on the older API. Usually
> this is not recognized and suddenly packages in the archive won't work
> anymore.
> One could introduce versions within package names, but this would just
> multiply the number of node packages."
> ...
>
> After a long discussion in JS team, I built a Wiki draft [2] and I would
> like to have an opinion of Security Team before continuing in this way.
I see the general direction, but I think this won't fully solve the actual
problems we're seeing with applications using nodejs modules.
We need to look at this from the view of the web applications to be packaged,
not from the view of individual packages.
Dealing with the bundles on the packages level is only part of the problem,
though. This can only be made manageable with additional policy/archive
changes, basically what I outlined at
https://lists.debian.org/debian-devel/2018/02/msg00354.html before.
So I'd encourage you to extend/generalise this (the same problem is also
applicable to Ruby packages to some extent) so that it's ready for the
buster release.
Cheers,
Moritz
More information about the Pkg-javascript-devel
mailing list