[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NPM and trusted binaries

From: Jan Nieuwenhuizen
Subject: Re: NPM and trusted binaries
Date: Thu, 08 Sep 2016 10:45:57 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Mike Gerwitz writes:

> If a user is able to build from source

That's a question that I like to explore.

If a user builds an npm package from its source repository, I assume
that they install the devDependencies needed for that using npm?

The transitive closure of installing all devDependencies for the `q'
package by building them all from their source repositories, means
building > 6000 packages.

> , shouldn't Guix be able to?

> And if neither can, how can we guarantee that the provided binary is
> even free and actually corresponds to the given source?

I would also like to explore if the source/binary package metaphor is
a valid one for npm.

For the packages that I considered, I used the `diff' command to assert
that the installable npm package includes javascript and C files and are
identical to the ones in the repository.


Jan Nieuwenhuizen <address@hidden> | GNU LilyPond
Freelance IT | Avatar®  

reply via email to

[Prev in Thread] Current Thread [Next in Thread]