On 01/18/2018 10:28 AM, Daniel Pocock wrote:
There is an issue: a) if the JavaScript is distributed as minified blobs and we can't rebuild it easily from source, b) if a large application makes heavy use of things like the NPM repository for its build process
A lot of developers have given up trying to package large JavaScript-heavy web applications for Debian because they are incomplete or not really free software somewhere in the stack or the tool chain.
The front-end developers end up using other repositories like NPM, thinking it is easier than doing something through Debian or Fedora, but it turns out that is just laziness, this type of thing would never happen if the code had been properly packaged:
https://developers.slashdot.org/story/18/01/13/0149252/erroneous-spam-flag-a...
https://developers.slashdot.org/story/16/03/23/0652204/how-one-dev-broke-nod...
Conclusion: if stuff is not properly packaged in the beginning it becomes a minefield for support in the future.
I was thinking that this warning might in fact apply to my own practices. I don't really work in JavaScript, but I'm using a lot of Python packages in my day-to-day, and I almost never install them from Debian packages.
Why not?
* Versions. Often the packaged versions of Django, Plone, and a lot of others, are outdated. People normally don't install these things from Debian packages. Plone has its buildout system which pulls stuff from PyPI and other repositories, and for Django applications I always use pip against PyPI for installing.
* Non-root install. When using pip and virtualenv, everything can be installed locally. This also means you can fix things in the source code without having or using root access.
* Multiple installs - you can have multiple versions of the same package in non-root environments on the same host - something Django & Plone sites use really a lot.
So there's actually good reasons not to use Python libraries through Debian packages. I imagine the same is the case for JavaScript libraries, not least regarding the necessity of having several different versions coexist in the same OS install.
*On the other hand*, I do realize that if a key dependency suddenly goes missing on PyPI, the applications will break. But I don't think the correct solution for that is to use the Debian package except in very specific circumstances - building an in-house mirror of the dependencies would seem to work better. Or what do you think?
Best Carsten