[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On merging the npm importer

From: Jelle Licht
Subject: Re: On merging the npm importer
Date: Thu, 30 Mar 2017 16:22:05 +0200

2017-03-29 19:39 GMT+02:00 Christopher Allan Webber <address@hidden>:
Jan Nieuwenhuizen writes:

> Hi,

Hi Jan!

Hello Jan and Christopher!

> We have a working importer for npm packages written by Jelle that I have
> been using for about half a year.  It can use some improvements and
> that's why I think we should merge it.
> Have alook at my npm branch here, rebased on master

Would like to review soon, though I'll say that I think unless there are
serious problems, we should probably merge it.  Avoiding bitrot is prety
important, and at the very least I don't think it will hurt to have it

> I added a patch with several fixes for the importer and and build
> system.  So far, so good.
> There's a problem however with the --recursive option and the build
> system.  To quote Jelle[1]
>    To start of with something that did not work out as well as I had
>    hoped, getting a popular build system (e.g. Gulp, Grunt, Broccoli and
>    others) packaged.  As mentioned in my earlier mails, the list of
>    transitive dependencies of any of these suffer from at least the
>    following:
>    - It is a list with more than 4000 packages on it
>    - It is a list with at some point the package itself on it
> Most nontrivial npm packages use a build system, and all build systems
> have circular development dependencies.  Not all development
> dependencies are always required to build a package, but some certainly
> are nd there's no way to tell which is which, afaik.
> That's why I added a --binary option to the importer: it will not
> try to use the build system and instead mimick `what npm does.'  This
> does provide, however, an amazing reproducibility feature to the
> dependency woes that npm hackers are familar with.
> I suggest to not add any npm package to Guix that is the result of using
> the --binary option and to build a base of full-source/sanitized npm
> packages.

Cool... makes sense to me to have this as something we don't use for
Guix packages, but which might make Guix more useful for people who have
to use npm in the awkward "real world" that is the current state of npm.

As one of these people living in the "real world", this is exactly how I have been using the importer up till now.
I like and agree with most of your changes as they make the code much more robust in the face of inevitable failure.

Nonetheless, one could say that we should not make it too easy to inadvertently create package specifications for 'binaries'.

One tiny improvement might be to use `spdx-string->license` from (guix import utils), instead of duplicating this effort in the npm importer.

How would you propose we get to reviewing your code? Would you care to send some patches, or should we bother you via gitlab a bit more?



reply via email to

[Prev in Thread] Current Thread [Next in Thread]