3:13 a.m.
On Fri, Jul 22, 2016 at 8:35 AM, Matthias Runge <mrunge(a)redhat.com> wrote:
On 21/07/16 16:23, Honza Pokorny wrote:
> There still seems to be some confusion about what we're saying, so let
> me attempt to summarize:
>
> 1. bundling of npm dependencies (sources) undesirable but temporarily tolerated
Taking the conversation from IRC here:
I don't think we got an answer on this yet.
If you're pulling all dependencies in, and compile a package then,
you're basically creating something comparable to statically linked
binaries: If a library has a security issue, you're going to rebuild the
whole thing.
Let's challenge ourselves to justify the constraints we're placing on
ourselves using first principles :)
What's wrong with rebuilding the whole thing? e.g. is it
- the user will have a big download/update, for a fix that could have
been self-contained
- the build will take a lot longer than if it was self-contained
- or ...?
The most compelling reason usually is so that, in a case like this,
you don't have to rebuild many packages that statically link to the
library when you have a security issue. Assuming we only have one app
using this library (is that a valid assumption?) then we don't have
that issue here.
You mentioned somewhere else, dependencies are pinned: is that true
for
dependencies of dependencies as well? Or would I get a different
tarball, when collecting all dependencies (and deps of deps) in a few weeks?
Right, and the issue there would be that if you have to re-run this
(and as a result get a new set of dependencies) just to fix a bug,
then that's not acceptable.
Hence my question about whether we would have a workable method of
patching the bundled sources in order to apply a fix.
Thanks,
Mark.
> node_modules/ directory --- npm downloads sources along with artifacts
> (e.g. if the package is written in coffee-script, it will contain both
> the coffee-script sources and the compiled js). And, we plan to use npm
> to also build the minified code (e.g. "npm run build").
--
Matthias Runge <mrunge(a)redhat.com>
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham,
Michael O'Neill, Eric Shander
_______________________________________________
rdo-list mailing list
rdo-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list
To unsubscribe: rdo-list-unsubscribe(a)redhat.com