Le jeudi 31 juillet 2025, 23:25:40 heure d’été d’Europe centrale Julian Gilbey
a écrit :
> [Starting a separate thread for this discussion; this was originally
> in a thread about nbdime]
>
> On Thu, Jul 31, 2025 at 02:41:56PM +0200, Jérémy Lal wrote:
> > Le jeu. 31 juil. 2025 à 14:31, Julian Gilbey <jdg@debian.org> a écrit :
> > [...]
> >
> > Since NodeJS often packs sources together into the resulting
> > dist/index.js (or similar), we should probably make much more use of
> > Built-Using in the NodeJS packages, so that the builds are
> > reproducible, at least at each Debian release time.
> >
> > Such bundles are built by their respective packages, which are
> > Build-Depended upon.
> > Builds are reproducible.
>
> I just rebuilt node-rjsf from source on a Debian testing machine. The
> resulting file /usr/share/nodejs/@rjsf/core/dist/index.js is slightly
> different from that in the official 5.12.1+~5.0.1-3 package. I cannot
> reproduce the build, as the bundled React Javascript seems to have
> changed slightly in the meantime. So the build is reproducible to the
> mextent that if the environment is identical, the results will be too.
> In the case of a system like Python, the resulting scripts in the
> binary package are usually just copies of the scripts in the source
> package, and dependencies are loaded at runtime. But that is
> frequently not the case with Javascript/NodeJS packages: tools such as
> rollup or webpack appear to bundle their sources into a single output
> file rather than loading them at runtime. This can lead to
> significant version skew and hard-to-trace bugs when a package is
> later rebuilt.
>
> > Further down the
> > line, it would be good if every time a NodeJS or similar package is
> > updated, all of its reverse dependencies are also automatically
> > rebuilt.
> >
> > That would be awesome, however, that would cost a lot of VM.
> > Jérémy
>
> This is a good point. We already do regular complete archive
> rebuilding, so this would not be that onerous if it were not done for
> every upload. In testing, there are currently about 1760 JS/NodeJS
> source packages, of which only a tiny handful (16) are not
> Achitecture: all. Rebuilding that many packages is not that bad, I
> would guess, especially as it would only be needed on one buildd arch,
> and most updates only have a small number of reverse dependencies.
>
> Perhaps something like a weekly binary rebuild of this subsystem would
> be helpful? But it would benefit from using Built-Using throughout
> the ecosystem to ensure that only the needed packages are rebuilt. I
> know that pkg-js-tools generates a ${nodejs:BuiltUsing} substvar, so
> we could probably just use that. (Alternatively, we could use the
> existing Build-Depends fields, but that may not be as useful.) I'm
> not sure why the manpage suggests using XB-Javascript-Built-Using,
> though; it should presumably be just Built-Using, as the release
> managers use that field to prepare releases. (I also think there's a
> bug in the code that generates this substvar; I've just submitted
> #1110204 to the BTS to address this.)
Following debconf it is static-build-using field BTW lintian patch welcome
BTW i tigger rebuild of rdeps weekly for acorn and some package
bastien
>
> Best wishes,
>
> Julian
Attachment:
signature.asc
Description: This is a digitally signed message part.