Re: How should we handle greenbone-security-assistant?

To: debian-devel@lists.debian.org
Subject: Re: How should we handle greenbone-security-assistant?
From: Jonas Smedegaard <jonas@jones.dk>
Date: Thu, 17 Dec 2020 13:44:43 +0100
Message-id: <[🔎] 160820908322.3822905.3803292725902751282@auryn.jones.dk>
In-reply-to: <X9tMDrI7ybtA/8md@home.ouaza.com>
References: <[🔎] X9pReHUtn9LWBu+B@home.ouaza.com> <[🔎] 160814520549.3822905.17688764528316962056@auryn.jones.dk> <X9tMDrI7ybtA/8md@home.ouaza.com>

Quoting Raphael Hertzog (2020-12-17 13:16:14)
> On Wed, 16 Dec 2020, Jonas Smedegaard wrote:
> > 4/ analyze what yarn/npm would do during build, and translate that 
> > into existing Debian Nodejs packages and actual need for custom 
> > work.  In the JavaScript team we use this page as starting point for 
> > analyzing large projects: 
> > https://wiki.debian.org/Javascript/Nodejs/Tasks
> 
> Out of curiosity, I have run your script on the package.json file of 
> greenbone-security-assistant and this just confirms that it's not 
> realistic to package everything separately: 
> https://wiki.debian.org/Javascript/Nodejs/Tasks/gsa

Nice.  Doesn't look like an impossible task to me.

> Even if you package everything, you will never ever have the right 
> combination of version of the various packages.

What is possible to auto-compute is a coarse view of the work needed.

In reality, most Nodejs modules declare too tight versioning for their 
dependencies, and in many cases it is adequate that a module is packaged 
even if not at the version declared as required.  A concrete example is 
"ansi-styles" which is most likely working just fine in version 4.x.

Also, some build-dependencies are for development purposes other than 
strictly compiling the code - e.g. for benchmarking or producing test 
coverage reports.  A concrete example is "eslint-config-prettier" which 
is a lint-checker with a specific bias.  It is not strictly needed to 
lint-check code, but a good idea to do so especially if messing with it 
through patches - but then the more generic non-biased lint-checker 
eslint can in many cases be used instead.

Also, the script fails to detect virtual packages.  A concrete example 
is "@types/jest" provided in virtual package "node-types-jest".

Also, the script lists dependencies multiple times.  See e.g. "shape" 
appearing twice (skipping its dependencies at its second entry), and 
"d3-shape" is listed several times.

In your original post you seemingly already ruled out proper packaging 
as a premise, and it seems you continue to use absolutes like 
"everything" and "never".  I find that discouraging - plase consider a 
less negative tone.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply to:

Follow-Ups:
- Re: How should we handle greenbone-security-assistant?
  - From: Raphael Hertzog <hertzog@debian.org>
- Package dependency versions and consistency
  - From: Josh Triplett <josh@joshtriplett.org>

References:
- How should we handle greenbone-security-assistant?
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: How should we handle greenbone-security-assistant?
  - From: Jonas Smedegaard <jonas@jones.dk>
- Re: How should we handle greenbone-security-assistant?
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: How should we handle greenbone-security-assistant?
Next by Date: Re: How should we handle greenbone-security-assistant?
Previous by thread: Re: How should we handle greenbone-security-assistant?
Next by thread: Re: How should we handle greenbone-security-assistant?
Index(es):
- Date
- Thread