On Fri, Aug 4, 2017 at 10:43 AM Troy Dawson <tdawson@redhat.com> wrote:
On Fri, Aug 4, 2017 at 6:48 AM, Stuart D Gathman <stuart@gathman.org> wrote:
> I've started working on packaging scuttlebot for Fedora.  I see that we now have a Fedora package for every nodejs module.  This makes it easy to map directories in node_modules to package names - however, it means submitting hundreds of packages to ever get scuttlebot submitted.
>
> I'm wondering if there is a better way.  A node module typically corresponds to a .o file in a C library (with exceptions like libsodium).  It is like having a separate package for every function in glibc.  Suppose we did this:
>
> 1) a nodejs-stdlib that includes all the common modules (a list to be argued over at length :-) ).  There is no penalty other than a small amount of disk space for unused modules - just like with a C library.
>
> 2) other multi-module systems are combined - usually including all modules with the same first word.  For instance, all the pull stream modules begin with 'pull': pull-abortable, pull-box-stream, pull-cat, pull-cont, etc.  This would become nodejs-pull, and include all the pull modules.
>
> When the package name matches the first word of the module name, then determining the package is still easy.  When that is not the case, as with the proposed nodejs-stdlib, then dnf can still search for npm(...)

Although this looks tempting, it's only looking at half the problem.
Versions
Nodejs modules get updated all the time, at different rates for
different packages.
If you had just one package for many modules, it would be getting
updated at an alarming rate.



I think the better approach is carefully-controlled bundling in Fedora. As of a couple years ago, it is now permissible to bundle software together in Fedora if it meets certain conditions:
1) If the dependency is already packaged in Fedora and this software is compatible with that version, then this software must link against the unbundled version.
2) If the dependency is not yet packaged in Fedora but is likely to be useful to large amounts of Fedora software, it is strongly encouraged that it be packaged separately.
3) Other dependencies MAY be carried internally by the package that needs them, but that package MUST include `Provides: bundled(npm(modulename)) = version`

Rule 3) is so that if there is a security vulnerability in npm(modulename), we can find any and all software that is required to be updated. 

I haven't had any time to work on it, but I'd very much like to develop an automatic RPM dependency generator that will recurse down the node_modules directories, read their package.json files and automatically create those Provides. If anyone else wants to take a crack at doing that, it would be an immense help.