Filing a ticket here so we can collate information before making a decision.
The nodejs guidelines are here. They say things like:
You can provide a package that uses nodejs, but you should bundle all the nodejs libraries that are needed.
However, discussions on the devel list suggest that it isn't quite that simple. While bundling sources is fine, we cannot bundle pre-built binaries. So even when bundling other nodejs libraries, one must:
In practice, this is a lot of work and is not sustainable for each new package release.
So, unless we have clarification that we can bundle bits in plotly/bokeh as they are, we're going to have to drop these packages.
At least you are consistent in your typos, @ankursinha. :grin: I just did a s/boken/bokeh/ in two places.
s/boken/bokeh/
Metadata Update from @ankursinha: - Issue assigned to ankursinha
I've been looking into this. While I was drafting an e-mail to the python list etc, I see that pgAdmin4 is now packaged. That's the package that the thread we've noted was about---and the thread, to me, had indicated that it can't really be included without building things from source.
So, I'm still confused.
https://src.fedoraproject.org/rpms/pgadmin4/tree/rawhide
It looks like this script basically does all the work:
https://src.fedoraproject.org/rpms/pgadmin4/blob/rawhide/f/prepare_vendor.sh
it uses yarn to install the deps, then tars them all up---and that is apparently fine to include in the package? It also does a license audit and generates the license list file and so on. Basically, we don't have to manually do any of this.
yarn
If this is the case, we should be able to do something similar for bokeh and plotly---we could even package plotly.js separately as a node module and then symlink it in the python package and so on.
Thoughts?
PS: really not sure why this script isn't mentioned in the node guidelines
If you read https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/AMCCDTQIA6U2RAONUPDABKRIVFFX2DHZ/, people aren’t just complaining about the licenses. It’s about having to deal with bundled fonts, pre-minified or transpiled code (e.g. from Typescript), and anything else in the bundled dependencies that wouldn’t pass standalone package review, and then go back and fix it dependency by dependency, with a bunch of manual patching and rebuilding and recursive development dependencies of those dependencies, and so on until you have “boiled the ocean.”
The Node.js packaging guidelines do prescribe a bundling script similar to the prepare_vendor.sh you linked. It even produces a list of licenses. It doesn’t remove as many things. But prepare_vendor.sh doesn’t remove everything that people are worried about either: for example, it removes some – not all – source maps for minified JS/CSS/etc, but it doesn’t remove the minified files (and there are hundreds, some of which might not be easily removable, and some of which might not have the extension .min.*, and so on). It doesn’t remove bundled fonts (.ttf, .woff, .woff2) – and doing so might break the package.
prepare_vendor.sh
.min.*
.ttf
.woff
.woff2
I don’t think the current packaging of pgadmin4 meaningfully deals with the issues people raised in the thread.
pgadmin4
At the meeting today, we decided I'd file a ticket with FESCo to clarify all of this once and for all.
Filed https://pagure.io/fesco/issue/3177
This is what has been added to the packaging guidelines:
Packages containing JavaScript should make the best effort to regenerate any precompiled/pre-minimized JS wherever possible, as this leads to more maintainable packages. Where this would result in a significant hardship, the bundled pregenerated JS may be shipped with a specfile comment explaining the decision. This does not eliminate the requirement to validate licenses of bundled code. See <<Bundled Licenses>> below.
https://pagure.io/packaging-committee/c/889df8ad
So, we should be able to keep these packages as long as we can audit their licenses to ensure the pregenerate stuff is all under right licenses.
Log in to comment on this ticket.