[Pkg-javascript-devel] Bug#940708: Component database

Xavier yadd at debian.org
Mon Feb 10 15:54:48 GMT 2020 

Le 10/02/2020 à 15:13, Jonas Smedegaard a écrit :
> Hi Xavier,
> 
> Quoting Xavier (2020-02-10 15:06:00)
>> I wrote a little feature in lintian that will build a component 
>> database (https://salsa.debian.org/lintian/lintian/commit/36469e3), 
>> released in lintian 2.51.0.
>>
>> Next step, build node.js components database (name+version given by 
>> package.json). This will avoid having to use too long version (See 
>> https://bugs.debian.org/940708)
> 
> I don't follow how changes to lintian can help solve bug#940708 - but 
> instead of replying here, I recommend that you clarify by posting to 
> that bug.
> 
>  - Jonas

1. Because of component embedding (required by ftpmaster), we use uscan
   components in JS Team
2. Then to follow upstream changes, we can have a version that stores
   all important modules versions in it
3. Then for important packages like acorn and if DD wants to follow all
   upstream changes, version becomes crazy (this bug for example)
4. I proposed an MR to acorn to reduce version,      => not accepted [1]
5. I proposed an MR to devscripts to compact version => not accepted [2]
6. Then I had the idea of another way to follow upstream changes,
   that could have some other benefits:
   a. lintian will generate some classification tags
   b. we will be able to have an up-to-date DB of embedded component
   c. we will be able to build a new tracker that displays result
   d. Security Team will have a better view on our embedded components
      (${nodejs:Provides} shows only components installed in nodejs root
       directories - name + real-version)
   e. npm2deb will be able to show already-embedded-component when a
      contributor uses `npm2deb depends foo`

For now, I didn't find a better way to solve this bug (important IMO).

acorn-6 is needed for Node.js 12 migration. I think we have to find a
way to fix this issue to avoid the shame of having published such
version string.

Using lintian tags is my 3rd proposal here and probably the last.

As usual, sorry for my poor English.

[1]: https://salsa.debian.org/js-team/acorn/merge_requests/4
[2]: https://salsa.debian.org/debian/devscripts/merge_requests/156

More information about the Pkg-javascript-devel mailing list