[Pkg-javascript-devel] Small Node.js packages in NEW
Ross Gammon
ross at the-gammons.net
Fri Apr 17 07:27:20 UTC 2015
On 04/08/2015 08:18 PM, Sebastiaan Couwenberg wrote:
> Hi Thorsten,
>
> I'm reluctantly looking into this issue further, but I need to know what
> requirements an Node.js module must meet to be eligible for its own
> source package.
>
> What are your requirements for this?
>
> Kind Regards,
>
> Bas
>
Okay, I will try and kick-start this again.
From a security perspective, as soon as there is more than one copy of
the same javascript library in the archive, it is not good (previous
threads on the topic mention this).
npm2deb can tell you the "rdepends" of a node module. If there is only
one reverse dependency, then it is safe to bundle that module at that time.
I have had upstreams complain about the fact that we take their bundles
and rip them apart (using different versions of the modules than they
have tested with)!
Of course that module may have dependencies that are already packaged in
Debian.
If lintian reliably warned us of this, then we could strip that module
from the bundle and patch things to use the Debian package instead.
And if lintian also told us when a node module becomes bundled more than
once in the future, then we could create a package for this module and
file a bug against the other packages.
This would not eliminate small packages, but would reduce the problem.
Is this an acceptable half-way house?
Regards,
Ross
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20150417/2c723c3b/attachment.sig>
More information about the Pkg-javascript-devel
mailing list