The the Node.js guidelines say about Source0 :
"The canonical method for shipping most node modules is tarballs from
the npm registry"
"This method [PP: tarbals from npm] should be preferred to using
checkouts from git or automatically generated tarballs from GitHub."
But I think that in following cases it would be better to use sources
from the upstream project:
1) When the license is not included in NPM but is in upstream project.
o Because we are not supposed to ship the license separate from the
2) When the tests are not included.
o In this case we need to download the sources from NPM and from
upstream project, which seems redundant and a waste of work.
3) When NPM content is generated and source files are not in NPM.
o This would mean to download sources from NPM and upstream project,
delete the NPM sources in prep and generate the files again.
Are there good reason to enforce the use of NPM sources which I am
missing? What is your opinion?
I would like to suggest to ad those three exceptions to the guidelines.
I've started working on packaging scuttlebot for Fedora. I see that we now have a Fedora package for every nodejs module. This makes it easy to map directories in node_modules to package names - however, it means submitting hundreds of packages to ever get scuttlebot submitted.
I'm wondering if there is a better way. A node module typically corresponds to a .o file in a C library (with exceptions like libsodium). It is like having a separate package for every function in glibc. Suppose we did this:
1) a nodejs-stdlib that includes all the common modules (a list to be argued over at length :-) ). There is no penalty other than a small amount of disk space for unused modules - just like with a C library.
2) other multi-module systems are combined - usually including all modules with the same first word. For instance, all the pull stream modules begin with 'pull': pull-abortable, pull-box-stream, pull-cat, pull-cont, etc. This would become nodejs-pull, and include all the pull modules.
When the package name matches the first word of the module name, then determining the package is still easy. When that is not the case, as with the proposed nodejs-stdlib, then dnf can still search for npm(...)
I tried bundling http-parser in the Node.js package on EPEL 7, but that
revealed another issue. We've been carrying a patch for Node.js that makes
it compatible with OpenSSL 1.0.1 (which was present on RHEL 7.0 through
RHEL 7.3). However, RHEL 7.4 contains OpenSSL 1.0.2 and this version is
what is in the official Fedora/EPEL 7 build repositories on the Koji Build
System. The design of the OpenSSL compat patch is such that it sees that
OpenSSL 1.0.2 is present in the build-system and skips all of the changes.
As a result, we cannot build Node.js in EPEL 7 with OpenSSL 1.0.1 support
at this time (without a significant effort to rework the compatibility
patches). So regardless of the http-parser issue, we require packages from
RHEL 7.4 in order to function either way.
I am currently rebuilding the Node.js package with the knowledge that it
can only work with http-parser and OpenSSL from the 7.4 repositories. This
means that Node.js will not be installable from EPEL on CentOS until CentOS
7.4 packages are publicly available.
I apologize for the inconveniences that I know this must cause. It should
hopefully only be a few days before CentOS 7.4 is released and the problem
will more or less disappear.
First, I hope I'm posting this in the right place. I did a good deal of
looking, and here seemed like the best place.
I've done some significant looking through various sources of information,
including asking on IRC, though I wasn't able to find any real direct
answers to my question.
The best I could find was a link to
https://fedoramagazine.org/node-js-6-x-lts-coming-epel-7/ which stated that
for EL7, nodejs-0.10 was being just changed to 6.x. This doesn't explicitly
say anything about EL6 though, which brings me to the actual question.
Since CVE-2017-11499 covers pretty much every version of NodeJS ( source:
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/ ) I
was wondering if the fix was going to be backported, or if the NodeJS-0.10
(and 0.12) line was going to be completely dropped, with removal of the
packages from the repo, or something else entirely?
I'm more just hoping to find a more official word on the plans for this. I
can look through Koji and see that it's been untouched since October last
year, and I can look through mailing list posts for the last 12 months, but
I can't really find anything stating the plans for the package.