[Pkg-javascript-devel] Bug#622628: Bug#622628: npm ready to be reviewed

Jonas Smedegaard dr at jones.dk
Thu Apr 5 12:01:36 UTC 2012 

On 12-04-03 at 11:57pm, Jérémy Lal wrote:
> it would be very nice to review npm package sitting at : 
> git://anonscm.debian.org/git/collab-maint/npm.git


Patch 2001 refer to debian/copyright.  I recommend to document 
explicitly, as the patch file will appear outside of the context of the 
full packaging - i.e. at http://patch-tracker.debian.org/package/npm

Maybe add a brief explicit note and then refer (with a URL, not a 
relative file reference) to further explanation e.g. a post to a 
bugreport.


I recommend to use ~dfsg (not ~dfsg9) in package versioning.  Remember 
to update everywhere, also e.g. in NEWS file.


Does not seem like news me to warn against use as root - and therefore 
inappropriate to list in NEWS file.  The similar text in README.Debian 
is vague: first a feature is described, and only in next separate 
pragraph discouraged.


Please avoid versioned (build-)dependencies when required version is 
satisfied in all Debian distros releases where the package is available 
at all.


Feels odd to me that Node is explained at the end of long description. I 
suggest to first introduce Node and afterwards go into more details.


Are you sure it is necessary to set the bash-completion script 
executable?  Seems odd to me that the dh_bash-completion script wouldn't 
take care of that if really needed.


Please use either true upstream URL (at Github) or a Debian-maintained 
redirection service to track and download upstream source (see node-xmpp 
for an example, using githubredir.debian.net).  The npmjs.org registry 
is nice but less trustworthy.


Repackaging of upstream source should be mentioned in Source paragraph 
in debian/copyright.  I recommend to also add a list of files/dirs 
stripped in an unofficial Files-Excluded paragraph (I intend to propose 
that as a future extension to DEP5 copyright file format, and also to 
make use of it in CDBS at some point).  See ghostscript packaging for an 
example.


You should not rely on executable bit being properly set in sources.  So 
instead of executing ./configure I suggest to invoke "bash ./configure".  
Or even better: Ship a prepared npmrc in debian subdir to avoid the need 
to execute upstream source during build (which is a slight security 
risk).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20120405/25641f12/attachment.pgp>

More information about the Pkg-javascript-devel mailing list