[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Built-Using for NodeJS/Javascript packages



Le jeudi 31 juillet 2025, 23:25:40 heure d’été d’Europe centrale Julian Gilbey 
a écrit :
> [Starting a separate thread for this discussion; this was originally
> in a thread about nbdime]
> 
> On Thu, Jul 31, 2025 at 02:41:56PM +0200, Jérémy Lal wrote:
> > Le jeu. 31 juil. 2025 à 14:31, Julian Gilbey <jdg@debian.org> a écrit :
> > [...]
> > 
> >   Since NodeJS often packs sources together into the resulting
> >   dist/index.js (or similar), we should probably make much more use of
> >   Built-Using in the NodeJS packages, so that the builds are
> >   reproducible, at least at each Debian release time.
> > 
> > Such bundles are built by their respective packages, which are
> > Build-Depended upon.
> > Builds are reproducible.
> 
> I just rebuilt node-rjsf from source on a Debian testing machine.  The
> resulting file /usr/share/nodejs/@rjsf/core/dist/index.js is slightly
> different from that in the official 5.12.1+~5.0.1-3 package.  I cannot
> reproduce the build, as the bundled React Javascript seems to have
> changed slightly in the meantime.  So the build is reproducible to the
> mextent that if the environment is identical, the results will be too.
> In the case of a system like Python, the resulting scripts in the
> binary package are usually just copies of the scripts in the source
> package, and dependencies are loaded at runtime.  But that is
> frequently not the case with Javascript/NodeJS packages: tools such as
> rollup or webpack appear to bundle their sources into a single output
> file rather than loading them at runtime.  This can lead to
> significant version skew and hard-to-trace bugs when a package is
> later rebuilt.
> 
> >   Further down the
> >   line, it would be good if every time a NodeJS or similar package is
> >   updated, all of its reverse dependencies are also automatically
> >   rebuilt.
> > 
> > That would be awesome, however, that would cost a lot of VM.
> > Jérémy
> 
> This is a good point.  We already do regular complete archive
> rebuilding, so this would not be that onerous if it were not done for
> every upload.  In testing, there are currently about 1760 JS/NodeJS
> source packages, of which only a tiny handful (16) are not
> Achitecture: all.  Rebuilding that many packages is not that bad, I
> would guess, especially as it would only be needed on one buildd arch,
> and most updates only have a small number of reverse dependencies.
> 
> Perhaps something like a weekly binary rebuild of this subsystem would
> be helpful?  But it would benefit from using Built-Using throughout
> the ecosystem to ensure that only the needed packages are rebuilt.  I
> know that pkg-js-tools generates a ${nodejs:BuiltUsing} substvar, so
> we could probably just use that.  (Alternatively, we could use the
> existing Build-Depends fields, but that may not be as useful.)  I'm
> not sure why the manpage suggests using XB-Javascript-Built-Using,
> though; it should presumably be just Built-Using, as the release
> managers use that field to prepare releases.  (I also think there's a
> bug in the code that generates this substvar; I've just submitted
> #1110204 to the BTS to address this.)

Following debconf it is static-build-using field BTW lintian patch welcome

BTW i tigger rebuild of rdeps weekly for acorn and some package
bastien
> 
> Best wishes,
> 
>    Julian

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: