[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: npm (mitigation)

From: Catonano
Subject: Re: npm (mitigation)
Date: Mon, 17 Jul 2017 11:32:49 +0200

2017-07-14 19:11 GMT+02:00 Jan Nieuwenhuizen <address@hidden>:
Catonano writes:

> I read that Jelle and Jan used their own branch in order to have npm
> based software to be installed in their GuixSD environments, as binary
> blobs

Jelle wrote a nice and clean npm importer, no binary anything.

Npm packages have the can be source or binary.  Depending on how you
want to look at it you can make change this source/binary disctinction
less white/black and turn it into a gray-scale.

As we are talking about _javascript_, in some cases source and binary
packages are identical.  In other cases, the binary packages come with
preprocessed documentation and lack the sources.  Other binary packages
include minimized _javascript_ and even further into the darkness some
binary packages do not include the non-minimized _javascript_.  Then some
binary packages come with pre-compiled binaries and the worst are binary
package that do not come with the C/C++ sources that were used to
compile these binaries.

In all these cases the binary packages can be built from their source
package.  Here is where it starts to get nasty.  Building a package from
source can only be done if you have all its dependencies already
installed.  In theory that should not be a problem.

It appears that the npm ecosystem has manouvered itself into a place
where bootstrapping seems impossible: it turns out that any serious
package (notably all npm build system packages) have over 1000
dependencies, often with cyclic dependencies or even missing packages.

To break this boostrap loop on Guix I have added a couple of patches
onto Jelle's npm importer branch that implement a --binary flag.  This
allows binary npm packages to be installed in Guix and serve as a basis
to build other npm packages from source.

Apparently have no problem*) adding binary blobs for gcc, haskell (...?)
to Guix.  Similarly we could consider adding a/some binary blobs for npm
buildsystem packages to Guix and use those for a basis to build
source-only packages.

> Can I ask you for instructions about how to do that exactly ?

   git clone

The branch `npm' is rebased on version-0.13.0, have a look at

   guix import npm --help

and look in gnu/packages/npm.scm for instructions.


*) Actually I do not like this very much and that's why some of us seek
   to remove the need for our bootstrap binaries with our stage0 and Mes

Both for the wrap up and for the instructions.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]