[rdo-list] TripleO UI Packaging Strategy

Mark McLoughlin markmc at redhat.com
Fri Jul 22 08:13:18 UTC 2016


On Fri, Jul 22, 2016 at 8:35 AM, Matthias Runge <mrunge at redhat.com> wrote:
> On 21/07/16 16:23, Honza Pokorny wrote:
>> There still seems to be some confusion about what we're saying, so let
>> me attempt to summarize:
>>
>> 1. bundling of npm dependencies (sources) undesirable but temporarily tolerated
>
> Taking the conversation from IRC here:
>
> I don't think we got an answer on this yet.
>
> If you're pulling all dependencies in, and compile a package then,
> you're basically creating something comparable to statically linked
> binaries: If a library has a security issue, you're going to rebuild the
> whole thing.

Let's challenge ourselves to justify the constraints we're placing on
ourselves using first principles :)

What's wrong with rebuilding the whole thing? e.g. is it

- the user will have a big download/update, for a fix that could have
been self-contained
- the build will take a lot longer than if it was self-contained
- or ...?

The most compelling reason usually is so that, in a case like this,
you don't have to rebuild many packages that statically link to the
library when you have a security issue. Assuming we only have one app
using this library (is that a valid assumption?) then we don't have
that issue here.

> You mentioned somewhere else, dependencies are pinned: is that true for
> dependencies of dependencies as well? Or would I get a different
> tarball, when collecting all dependencies (and deps of deps) in a few weeks?

Right, and the issue there would be that if you have to re-run this
(and as a result get a new set of dependencies) just to fix a bug,
then that's not acceptable.

Hence my question about whether we would have a workable method of
patching the bundled sources in order to apply a fix.

Thanks,
Mark.

>
>
>> node_modules/ directory --- npm downloads sources along with artifacts
>> (e.g. if the package is written in coffee-script, it will contain both
>> the coffee-script sources and the compiled js).  And, we plan to use npm
>> to also build the minified code (e.g. "npm run build").
>
>
> --
> Matthias Runge <mrunge at redhat.com>
>
> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Charles Cachera, Michael Cunningham,
>                     Michael O'Neill, Eric Shander
>
> _______________________________________________
> rdo-list mailing list
> rdo-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rdo-list
>
> To unsubscribe: rdo-list-unsubscribe at redhat.com




More information about the dev mailing list