On Mon, Aug 6, 2018 at 5:00 AM, Peter Pentchev <roam(a)ringlet.net> wrote:
On Mon, Aug 06, 2018 at 02:26:51AM +0300, Peter Pentchev wrote:
> There is also another problem with fetching the needed libraries
and
> their dependencies from the network during the build: to quote Forrest
> Gump, "you never know what you're going to get". The main reason
> I take part in packaging CPAN modules for Debian and I took part in
> packaging them for FreeBSD before that is that this is the only way
> to avoid unknown, unverified, and either buggy or malicious or both
> code slipping onto the user's system.
>
> Apologies if it feels like I'm pointing out the obvious, but it feels
> like it needs to be said.
So how do people feel about an intermediate solution: have RPM packages
of the libraries' source, but then have a mechanism for the applications
to minimize/compress/pack them however they like at build time?
TBH, I haven't done pretty much any JavaScript work (apart from a single
BootStrap application with a couple of jQuery callbacks to a PHP
backend several years ago, but I don't think that should count), and
I have no idea how difficult it would be to convert a build system
that is used to fetching stuff from the online repositories to fetch it
from local paths instead, but, if it is feasible, this feels right to
me at least.
G'luck,
Peter
That's not an RPM solution, that's a webpack solution to teach it to
use local tarballs instead of grabbing things elsewhere. It's also
precisely what ant, maven, gradle, and python modules with pip do. So
it's a quite common approach.