Le jeudi 31 juillet 2025, 23:25:40 heure d’été d’Europe centrale Julian Gilbey a écrit : > [Starting a separate thread for this discussion; this was originally > in a thread about nbdime] > > On Thu, Jul 31, 2025 at 02:41:56PM +0200, Jérémy Lal wrote: > > Le jeu. 31 juil. 2025 à 14:31, Julian Gilbey <jdg@debian.org> a écrit : > > [...] > > > > Since NodeJS often packs sources together into the resulting > > dist/index.js (or similar), we should probably make much more use of > > Built-Using in the NodeJS packages, so that the builds are > > reproducible, at least at each Debian release time. > > > > Such bundles are built by their respective packages, which are > > Build-Depended upon. > > Builds are reproducible. > > I just rebuilt node-rjsf from source on a Debian testing machine. The > resulting file /usr/share/nodejs/@rjsf/core/dist/index.js is slightly > different from that in the official 5.12.1+~5.0.1-3 package. I cannot > reproduce the build, as the bundled React Javascript seems to have > changed slightly in the meantime. So the build is reproducible to the > mextent that if the environment is identical, the results will be too. > In the case of a system like Python, the resulting scripts in the > binary package are usually just copies of the scripts in the source > package, and dependencies are loaded at runtime. But that is > frequently not the case with Javascript/NodeJS packages: tools such as > rollup or webpack appear to bundle their sources into a single output > file rather than loading them at runtime. This can lead to > significant version skew and hard-to-trace bugs when a package is > later rebuilt. > > > Further down the > > line, it would be good if every time a NodeJS or similar package is > > updated, all of its reverse dependencies are also automatically > > rebuilt. > > > > That would be awesome, however, that would cost a lot of VM. > > Jérémy > > This is a good point. We already do regular complete archive > rebuilding, so this would not be that onerous if it were not done for > every upload. In testing, there are currently about 1760 JS/NodeJS > source packages, of which only a tiny handful (16) are not > Achitecture: all. Rebuilding that many packages is not that bad, I > would guess, especially as it would only be needed on one buildd arch, > and most updates only have a small number of reverse dependencies. > > Perhaps something like a weekly binary rebuild of this subsystem would > be helpful? But it would benefit from using Built-Using throughout > the ecosystem to ensure that only the needed packages are rebuilt. I > know that pkg-js-tools generates a ${nodejs:BuiltUsing} substvar, so > we could probably just use that. (Alternatively, we could use the > existing Build-Depends fields, but that may not be as useful.) I'm > not sure why the manpage suggests using XB-Javascript-Built-Using, > though; it should presumably be just Built-Using, as the release > managers use that field to prepare releases. (I also think there's a > bug in the code that generates this substvar; I've just submitted > #1110204 to the BTS to address this.) Following debconf it is static-build-using field BTW lintian patch welcome BTW i tigger rebuild of rdeps weekly for acorn and some package bastien > > Best wishes, > > Julian
Attachment:
signature.asc
Description: This is a digitally signed message part.