[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On ബുധന്‍ 04 ഒക്ടോബര്‍ 2017 09:57 വൈകു, Gunnar Wolf wrote:
> So, what happens currently? Do the affected packages FTBFS? (that,
> IMHO, would be a *good* thing, as we would only need to patch Policy
> to reflect reality)

It seems the FTBFS is not on the official buildds, but other archive
wide build services have a stricter policy on network access and will
result in a serious bug.

> No. It does not only change the perception. You ship a pre-built
> binary as part of your sources, then the build process (with, yes, a
> piece of untrusted blob... But still, that's as far as we can get)
> will happen across our buildds, or by whoever wants to NMU, or even by
> yourself days or weeks later, with a piece of software known to yield
> the package as it got built. We will not be bitten by a random site
> being unexpectedly offline, or by a transpiler changing some
> command-line options without notifying us (to mention only two
> possible issues)

It is always npmjs.com, which is depended on by entire nodejs community.
While it is not impossible for this to go down, the chances are less.
And even if it fails at some point, a rebuild later would produce the
exact same binary.

And for getting predictable builds, we can lock down the dependencies to
exact versions with cryptographic checksums. yarn [1] and [2] npm, both
support this.

Though it will require updating npm to a newer version [3] and/or
packaging yarn [4] (both are in progress).

If I were to use one of these lock files so build process becomes
reproduce-able, would it be agreeable for you? (not an immediate option.
but may be possible in future).

In the short term, I will switch to including pre-built files and will
revisit this situation when/if either npm or yarn with locking feature
is available in the archive.

[1] https://yarnpkg.com/lang/en/docs/yarn-lock/
[2] https://docs.npmjs.com/files/package-lock.json
[3] https://wiki.debian.org/Javascript/Nodejs/Tasks/npm
[4] https://wiki.debian.org/Javascript/Nodejs/Tasks/yarn

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: