[rdo-list] TripleO UI Packaging Strategy

Matthias Runge mrunge at redhat.com
Fri Jul 22 06:35:52 UTC 2016


On 21/07/16 16:23, Honza Pokorny wrote:
> There still seems to be some confusion about what we're saying, so let
> me attempt to summarize:
> 
> 1. bundling of npm dependencies (sources) undesirable but temporarily tolerated

Taking the conversation from IRC here:

I don't think we got an answer on this yet.

If you're pulling all dependencies in, and compile a package then,
you're basically creating something comparable to statically linked
binaries: If a library has a security issue, you're going to rebuild the
whole thing.

You mentioned somewhere else, dependencies are pinned: is that true for
dependencies of dependencies as well? Or would I get a different
tarball, when collecting all dependencies (and deps of deps) in a few weeks?


> node_modules/ directory --- npm downloads sources along with artifacts
> (e.g. if the package is written in coffee-script, it will contain both
> the coffee-script sources and the compiled js).  And, we plan to use npm
> to also build the minified code (e.g. "npm run build").


-- 
Matthias Runge <mrunge at redhat.com>

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham,
                    Michael O'Neill, Eric Shander




More information about the dev mailing list