[Pkg-javascript-devel] Nodejs in stretch

Jérémy Lal kapouer at melix.org
Tue Jul 12 20:17:23 UTC 2016 

Hi,

2016-07-12 11:06 GMT+02:00 Moritz Muehlenhoff <jmm at debian.org>:

> On Tue, Apr 26, 2016 at 11:32:54PM +0200, Jérémy Lal wrote:
> > Update:
> > https://nodejs.org/en/blog/announcements/v6-release
> > """
> > In October 2016, Node.js v6 will become the LTS release and the LTS
> release
> > line (version 4)
> > will go under maintenance mode in April 2017, meaning only critical bugs,
> > critical security
> > fixes and documentation updates will be permitted.
> > Users should begin transitioning from v4 to v6 in October when v6 goes
> into
> > LTS.
> > """
> >
> > I guess it will be too late for next debian release - still, it's good to
> > know.
>
> With the delayed freeze for jessie that would be doable again, right?
> The nodejs LTS is more volatile than a traditional LTS (also including
> bugfixes etc), but that seems ok (and is in line with e.g. security
> support for Firefox ESR).
>
> If we include nodejs 6 with security support in jessie we would limit
> it to the lifetime of that LTS branch. Is is already known how long
> that will be?
>

The schedule [here](https://github.com/nodejs/LTS) states 2019-04-01
for the end of LTS 6 branch.

I can testify, being a heavy Node.js developer / user, that nodejs 6 can
already replace nodejs 4. There are no huge breaking changes and all
mainstream modules are now compatible with both versions.
The situation with v8 api is also much better - it shows deprecations
warnings now (can you believe that ?).
If time allows it, it will be best to do it.


> I'm also slightly concerned about you being the single maintainer of
> nodejs. Your updates in unstable have been really quick, but you'll
> be on vacation/sick/busy, so I'd be really great to have a fallback
> (not a blocker, though). Maybe a RFH on debian-devel would help?
>

Well, Jonas is also helping when i can't do the job, and more help is
welcome.

(For example I would very much like to use the source code of v8 shipped in
Node.js as *the* source for a libv8 package, thus taking advantage of the
long
term support of nodejs, but i didn't find the time to do it.)


> While I'm fine with nodejs in stretch, I have strong concerns about the
> various node-* packages in the archive. It appears to me that the node
> modules ecosystem is very volatile and I have doubts that the various
> module upstreams will be able/willing to support the LTS branch of
> nodejs (or security backports in general). As of today we have
> already ten modules with unfixed security issues in unstable :-/


> I think we can provide nodejs as a solid for server applications,
> but herding lots of poorly maintained node modules in a stable release
> is stretching our resources too thin. Also, I suppose everyone is
> used to npm anyway.
>

It does indeed requires a lot of man power and we're obviously short of it.
I will happily ask to remove from testing many of the ones i uploaded
myself;
however (besides other obvious precautions):
- some modules are very important to keep around (npm, node-gyp, node-nan,
node-uglify and their dependencies to name a few)
- debian is very good at packaging Node.js c++ addons (and many authors
of c++ addons do terrible things on install like distributing precompiled
binaries,
downloading precompiled libraries...)

 Jérémy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20160712/8d279512/attachment.html>

More information about the Pkg-javascript-devel mailing list