[Pkg-javascript-devel] npm packaging

Jonas Smedegaard dr at jones.dk
Thu Oct 13 17:14:02 UTC 2011


On 11-10-13 at 02:41pm, Jérémy Lal wrote:
> On 13/10/2011 14:11, Jonas Smedegaard wrote:
> > Worse: Source contains a binary executable.  Even though the 
> > accompanying notes state that the source is DFSG-free, but said 
> > sources are not included and we cannot know for sure if they are in 
> > fact used. Also it is statically linked which means it pulls in code 
> > from other sources which is certainly not available.  Package should 
> > be repackaged with deps/ subdir stripped.
> 
> Indeed, repackaging is not an option.

_not_ an option?!?  I suspect that was a negation typo...


> > Non-free TrueType font Gubblebum Blocky is included below html/*/.
> 
> I agree on simply removing the font file, it won't hurt.
> 
> > Also, all that documentation below html/ sems autogenerated using 
> > ronnjs.  So probably html/ should be stripped and instead generated 
> > at build time (with options to avoid that non-free font as needed).
> 
> Actually it's html and man pages that are generated from markdown 
> using ronnjs.

Yes, that's what I meant above: Source is the markdown files - the html 
files shipped upstream is generated code which preferrably we should not 
consume but regenerate.


> And i'm the upstream developer of ronnjs. But i have no time left 
> right now to take care of packaging it. Later ?

Oh, you are upstream.  Cool!

I would actually recommend to try find someone else to package your code 
since you are upstream - to ensure a minimum of code review.

I am pretty busy at the moment: take-off monday of a 3-month journey in 
Asia: http://wiki.jones.dk/DebianAsia2011

Since Node packages are often pretty simple to package and maintain, I 
will try find some helpers for it on my journey.  I am also a candidate 
myself.


> Also, even if there generated at build time, they are not supposed to 
> be removed from tarball, for no DFSG reason.

Source repackaging is generally allowed.  Ideally upstream tarball is 
sane, and then we should preserve it as-is to ease e.g. SHA-1 checksum 
verification across distros.  But when we do mess with source due to 
DFSG violations, we can just as well clean up other things, e.g. 
superfluous autogenerated code or superfluous convenience copies of 
source better provided as separate packages.


> > I notice a link to a youtube video in the regression tests.  Not 
> > sure, but if any regression tests go online during build, they 
> > should be disabled or patched to not do so.
> 
> I did not run the tests yet, so i don't know if it's possible to run 
> them during the build. I'd prefer doing that step later, too.

It was just a vague suspicion, so no concrete action needed - so let's 
just keep it in mind. :-)


> Do you agree on excluding :
> * deps/
> * html/*/GubbleBum-Blocky.ttf

Well, that would also involve...:

  * track copyright and licensing of node_modules/
  * track copyright and licensing of html/

...both of which is of no real benefit to Debian.

Packaging ronnjs is directly beneficial to our users. :-)

Packaging those other modules is indirectly beneficial to our users, as 
then they are each tracked for new upstream releases and their 
regression tests are done during build.



 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20111013/57a852ef/attachment.pgp>


More information about the Pkg-javascript-devel mailing list