forums, mailing lists and other tools

• Previous message (by thread): forums, mailing lists and other tools
• Next message (by thread): forums, mailing lists and other tools
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 01/18/2018 10:28 AM, Daniel Pocock wrote:

> There is an issue:
> a) if the JavaScript is distributed as minified blobs and we can't
> rebuild it easily from source,
> b) if a large application makes heavy use of things like the NPM
> repository for its build process
>
> A lot of developers have given up trying to package large
> JavaScript-heavy web applications for Debian because they are incomplete
> or not really free software somewhere in the stack or the tool chain.
>
> The front-end developers end up using other repositories like NPM,
> thinking it is easier than doing something through Debian or Fedora, but
> it turns out that is just laziness, this type of thing would never
> happen if the code had been properly packaged:
>
> https://developers.slashdot.org/story/18/01/13/0149252/erroneous-spam-flag-affected-102-npm-packages
>
> https://developers.slashdot.org/story/16/03/23/0652204/how-one-dev-broke-node-and-thousands-of-projects-in-11-lines-of-javascript
>
> Conclusion: if stuff is not properly packaged in the beginning it
> becomes a minefield for support in the future.
I was thinking that this warning might in fact apply to my own 
practices. I don't really work in JavaScript, but I'm using a lot of 
Python packages in my day-to-day, and I almost never install them from 
Debian packages.

Why not?

* Versions. Often the packaged versions of Django, Plone, and a lot of 
others, are outdated. People normally don't install these things from 
Debian packages. Plone has its buildout system which pulls stuff from 
PyPI and other repositories, and for Django applications I always use 
pip against PyPI for installing.

* Non-root install. When using pip and virtualenv, everything can be 
installed locally. This also means you can fix things in the source code 
without having or using root access.

* Multiple installs - you can have multiple versions of the same package 
in non-root environments on the same host - something Django & Plone 
sites use really a lot.

So there's actually good reasons not to use Python libraries through 
Debian packages. I imagine the same is the case for JavaScript 
libraries, not least regarding the necessity of having several different 
versions coexist in the same OS install.

*On the other hand*, I do realize that if a key dependency suddenly goes 
missing on PyPI, the applications will break. But I don't think the 
correct solution for that is to use the Debian package except in very 
specific circumstances - building an in-house mirror of the dependencies 
would seem to work better. Or what do you think?

Best
Carsten

• Previous message (by thread): forums, mailing lists and other tools
• Next message (by thread): forums, mailing lists and other tools
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]