On 01/18/2018 10:28 AM, Daniel Pocock wrote:
There is an issue:
a) if the JavaScript is distributed as minified blobs and we can't
rebuild it easily from source,
b) if a large application makes heavy use of things like the NPM
repository for its build process
A lot of developers have given up trying to package large
JavaScript-heavy web applications for Debian because they are incomplete
or not really free software somewhere in the stack or the tool chain.
The front-end developers end up using other repositories like NPM,
thinking it is easier than doing something through Debian or Fedora, but
it turns out that is just laziness, this type of thing would never
happen if the code had been properly packaged:
https://developers.slashdot.org/story/18/01/13/0149252/erroneous-spam-flag-affected-102-npm-packages
https://developers.slashdot.org/story/16/03/23/0652204/how-one-dev-broke-node-and-thousands-of-projects-in-11-lines-of-javascript
Conclusion: if stuff is not properly packaged in the beginning it
becomes a minefield for support in the future.
I was thinking that this warning might in fact apply to my own
practices. I don't really work in JavaScript, but I'm using a lot of
Python packages in my day-to-day, and I almost never install them from
Debian packages.
Why not?
* Versions. Often the packaged versions of Django, Plone, and a lot of
others, are outdated. People normally don't install these things from
Debian packages. Plone has its buildout system which pulls stuff from
PyPI and other repositories, and for Django applications I always use
pip against PyPI for installing.
* Non-root install. When using pip and virtualenv, everything can be
installed locally. This also means you can fix things in the source code
without having or using root access.
* Multiple installs - you can have multiple versions of the same package
in non-root environments on the same host - something Django & Plone
sites use really a lot.
So there's actually good reasons not to use Python libraries through
Debian packages. I imagine the same is the case for JavaScript
libraries, not least regarding the necessity of having several different
versions coexist in the same OS install.
*On the other hand*, I do realize that if a key dependency suddenly goes
missing on PyPI, the applications will break. But I don't think the
correct solution for that is to use the Debian package except in very
specific circumstances - building an in-house mirror of the dependencies
would seem to work better. Or what do you think?
Best
Carsten
_______________________________________________
Discussion mailing list
Discussion@lists.fsfe.org
https://lists.fsfe.org/mailman/listinfo/discussion
