Some node modules contain generated JavaScript, for example transpiled from es6->es5, generated from coffeescript, or generated with jison.
Is it allowed to include these generated files in the module or do we really need to "build from source". The package guidelines do not mention generated code [1]
I'm currently reviewing a package [2] which is generated with jison, jison and its dependencies are not packaged. Packaging jison seems like a lot of work without any benefits.
What do you think, can we include generated JavaScript or do we have to build from source?
Piotr
[1] https://fedoraproject.org/wiki/Packaging:Guidelines#No_inclusion_of_pre-buil...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/23/2015 02:14 PM, Piotr Popieluch wrote:
Some node modules contain generated JavaScript, for example transpiled from es6->es5, generated from coffeescript, or generated with jison.
Is it allowed to include these generated files in the module or do we really need to "build from source". The package guidelines do not mention generated code [1]
That's probably worth bringing up with the FPC, but I think historically the requirement is that we have to build generated code from the original source; that including a pre-built copy of it is unacceptable.
Some of the generic reasons would be that Fedora may use different default flags to the compiler/interpreter that produces the generated code and thus it might be expected to honor those (examples might include security-hardening flags that upstream did not use).
I'm currently reviewing a package [2] which is generated with jison, jison and its dependencies are not packaged. Packaging jison seems like a lot of work without any benefits.
Well, is jison something that other packages would use to generate code like these modules? Because if so, that's a clear benefit: package jison and the others can use it.
Generated code is usually suspect, because in most cases it carries no comments and tends to be difficult for a human to understand it (compared to its source material). As a result, it would be very easy for someone to sneak something into the generated code output that doesn't match the sources
What do you think, can we include generated JavaScript or do we have to build from source?
My opinion is ALWAYS build from source; it's the only way to ensure what you deliver actually matches the readable sources.
The problem now is, that we need that module ASAP. I have no problem with packaging jison, but it would have to be reviewed and built today/tomorrow and it's at least 7 modules. I would prefer to package it as it is for now and rebuild it when jison is packaged.
----- Original Message ----- From: "Stephen Gallagher" sgallagh@redhat.com To: nodejs@lists.fedoraproject.org Sent: Monday, November 23, 2015 8:26:04 PM Subject: Re: How to handle generated code
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/23/2015 02:14 PM, Piotr Popieluch wrote:
Some node modules contain generated JavaScript, for example transpiled from es6->es5, generated from coffeescript, or generated with jison.
Is it allowed to include these generated files in the module or do we really need to "build from source". The package guidelines do not mention generated code [1]
That's probably worth bringing up with the FPC, but I think historically the requirement is that we have to build generated code from the original source; that including a pre-built copy of it is unacceptable.
Some of the generic reasons would be that Fedora may use different default flags to the compiler/interpreter that produces the generated code and thus it might be expected to honor those (examples might include security-hardening flags that upstream did not use).
I'm currently reviewing a package [2] which is generated with jison, jison and its dependencies are not packaged. Packaging jison seems like a lot of work without any benefits.
Well, is jison something that other packages would use to generate code like these modules? Because if so, that's a clear benefit: package jison and the others can use it.
Generated code is usually suspect, because in most cases it carries no comments and tends to be difficult for a human to understand it (compared to its source material). As a result, it would be very easy for someone to sneak something into the generated code output that doesn't match the sources
What do you think, can we include generated JavaScript or do we have to build from source?
My opinion is ALWAYS build from source; it's the only way to ensure what you deliver actually matches the readable sources.
_______________________________________________ nodejs mailing list nodejs@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/nodejs@lists.fedoraproject.org
On 24/11/15 09:49, Zuzana Svetlikova wrote:
The problem now is, that we need that module ASAP. I have no problem with packaging jison, but it would have to be reviewed and built today/tomorrow and it's at least 7 modules. I would prefer to package it as it is for now and rebuild it when jison is packaged.
With respect that's not how it works in Fedora.
You may be able to bypass normal procedures in RHEL because something is declared "urgent" by management but you don't get to ignore the packaging rules in Fedora just by claiming urgency.
The only question is whether what you want to do is compliant with the packaging guidelines, and if not whether FPC would grant an exception.
Tom
On Tue, Nov 24, 2015 at 4:49 AM, Zuzana Svetlikova zsvetlik@redhat.com wrote:
The problem now is, that we need that module ASAP. I have no problem with packaging jison, but it would have to be reviewed and built today/tomorrow and it's at least 7 modules.
I'm happy to do package reviews today, or even help package the modules themselves. Just send me a message on IRC (my nick is "jsmith"), and I'd be happy to help. I'd rather volunteer to do the work and get things done quickly rather than try to bypass the process.
Do you have a list of the 7 modules that need to be packaged/reviewed?
-Jared
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/24/2015 08:06 AM, Jared K. Smith wrote:
On Tue, Nov 24, 2015 at 4:49 AM, Zuzana Svetlikova <zsvetlik@redhat.com mailto:zsvetlik@redhat.com> wrote:
The problem now is, that we need that module ASAP. I have no problem with packaging jison, but it would have to be reviewed and built today/tomorrow and it's at least 7 modules.
I'm happy to do package reviews today, or even help package the modules themselves. Just send me a message on IRC (my nick is "jsmith"), and I'd be happy to help. I'd rather volunteer to do the work and get things done quickly rather than try to bypass the process.
Do you have a list of the 7 modules that need to be packaged/reviewed?
For what it's worth, I'm trying to get a statement from FPC on whether this is generally acceptable to do. But yeah, if someone wants to fast-track the jison packaging process, that would be the ideal case, I think.
On Tue, Nov 24, 2015 at 8:07 AM, Stephen Gallagher sgallagh@redhat.com wrote:
But yeah, if someone wants to fast-track the jison packaging process, that would be the ideal case, I think.
Yeah, and there's no reason the two tasks can't be done in parallel, either. As I stated earlier, I'm working on the jison side of things.
-Jared
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/24/2015 08:07 AM, Stephen Gallagher wrote:
On 11/24/2015 08:06 AM, Jared K. Smith wrote:
On Tue, Nov 24, 2015 at 4:49 AM, Zuzana Svetlikova <zsvetlik@redhat.com mailto:zsvetlik@redhat.com> wrote:
The problem now is, that we need that module ASAP. I have no problem with packaging jison, but it would have to be reviewed and built today/tomorrow and it's at least 7 modules.
I'm happy to do package reviews today, or even help package the modules themselves. Just send me a message on IRC (my nick is "jsmith"), and I'd be happy to help. I'd rather volunteer to do the work and get things done quickly rather than try to bypass the process.
Do you have a list of the 7 modules that need to be packaged/reviewed?
For what it's worth, I'm trying to get a statement from FPC on whether this is generally acceptable to do. But yeah, if someone wants to fast-track the jison packaging process, that would be the ideal case, I think.
OK, I spoke with Jason Tibbitts from FPC today. His interpretation is that we should treat jison pretty much exactly as we do bison: in other words, it's preferred that we re-generate it (and should continue to work towards that), but this is NOT a blocker for this package. (But once we finish the jison packaging, it's in our best interest to rebuild this package using our copy of jison to regenerate the code).
On Tue, Nov 24, 2015 at 8:06 AM, Jared K. Smith jsmith@fedoraproject.org wrote:
Do you have a list of the 7 modules that need to be packaged/reviewed?
In the interest of time, I've already started on these -- hopefully not duplicating the work of anyone else.
The following packages are done already, and I'll be submitting review requests shortly:
https://jsmith.fedorapeople.org/Packaging/nodejs-lex-parser/ https://jsmith.fedorapeople.org/Packaging/nodejs-jison-lex/
-Jared
On Tue, Nov 24, 2015 at 8:57 AM, Jared K. Smith jsmith@fedoraproject.org wrote:
https://jsmith.fedorapeople.org/Packaging/nodejs-lex-parser/
https://bugzilla.redhat.com/show_bug.cgi?id=1284942 Review request for nodejs-lex-parser
https://bugzilla.redhat.com/show_bug.cgi?id=1284945 Review request for nodejs-jison-lex
-- Jared Smith
On Tue, Nov 24, 2015 at 8:57 AM, Jared K. Smith jsmith@fedoraproject.org wrote:
In the interest of time, I've already started on these -- hopefully not duplicating the work of anyone else.
I'm starting on nodejs-JSONSelect next, but I'm likely to be interrupted by ${DAYJOB} meetings for the next hour or so. I'll be available on IRC if people want to chat with me, however.
-Jared
On Tue, Nov 24, 2015 at 9:29 AM, Jared K. Smith jsmith@fedoraproject.org wrote:
I'm starting on nodejs-JSONSelect next, but I'm likely to be interrupted by ${DAYJOB} meetings for the next hour or so. I'll be available on IRC if people want to chat with me, however.
https://bugzilla.redhat.com/show_bug.cgi?id=1285049 Review for nodejs-JSONSelect
On Tue, Nov 24, 2015 at 1:25 PM, Jared K. Smith jsmith@fedoraproject.org wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1285049 Review for nodejs-JSONSelect
https://bugzilla.redhat.com/show_bug.cgi?id=1285051 Review for nodejs-cjson
On Tue, Nov 24, 2015 at 1:37 PM, Jared K. Smith jsmith@fedoraproject.org wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1285051 Review for nodejs-cjson
https://bugzilla.redhat.com/show_bug.cgi?id=1285412 Review for nodejs-ebnf-parser
-Jared
nodejs@lists.fedoraproject.org