From: Adrian Bunk <bunk@stusta.de>
To: Alexander Kanavin <alex.kanavin@gmail.com>
Cc: brendan.le.foll@intel.com,
"Paul Eggleton \(paul.eggleton@linux.intel.com\)"
<paul.eggleton@linux.intel.com>,
rennes@savoirfairelinux.com,
OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [RFC][PATCH 0/6] NPM refactoring
Date: Thu, 24 Oct 2019 18:37:40 +0300 [thread overview]
Message-ID: <20191024153740.GB9707@localhost> (raw)
In-Reply-To: <CANNYZj99FATCkw+6V088NkTWm3DEUAcoZaP+XBUR0xZnGeeQdw@mail.gmail.com>
On Thu, Oct 24, 2019 at 02:12:43PM +0200, Alexander Kanavin wrote:
> On Thu, 24 Oct 2019 at 14:02, Stefan Herbrechtsmeier <
> stefan@herbrechtsmeier.net> wrote:
>
> > @Richard: What is your opinion about the per recipe dependency?
> > Typically OE use one recipe per project. The NPM based solution handle a
> > project and all dependencies via one recipe.
>
> I don't think it's at all realistic to stick to the 'one recipe per
> component' in node.js world. A typical 'npm install' can pull down
> hundreds, or over a thousand dependencies, it's not feasible to have a
> recipe for each.
Debian has for the perl/python/node/go/rust/haskell ecosystems
one recipe per component, with ~ 1k recipes each.
> I very much welcome a solution that uses 'npm install' in a way that
> preserves offline builds, and integrity/reproducibility of downloads.
> License management should be also handled by npm, and if it isn't, then we
> need to work with the upstream to address it.
How will CVE checking and security support work in such a setup?
Last time I looked at Rust I was wondering whether a vendored copy
of the OpenSSL sources was being used.
If git-lfs-native might run during during fetch, it would also be good
if relevant CVEs in the Go libraries it uses get fixed.
> Alex
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
next prev parent reply other threads:[~2019-10-24 15:37 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-22 9:03 [RFC][PATCH 0/6] NPM refactoring Jean-Marie LEMETAYER
2019-10-22 9:03 ` [RFC][PATCH 1/6] npm.bbclass: refactor the npm class Jean-Marie LEMETAYER
2019-10-22 11:35 ` Alexander Kanavin
2019-10-23 13:17 ` Jean-Marie LEMETAYER
2019-10-24 11:22 ` Stefan Herbrechtsmeier
2019-10-24 15:13 ` Jean-Marie LEMETAYER
2019-10-22 9:03 ` [RFC][PATCH 2/6] devtool: update command line options for npm Jean-Marie LEMETAYER
2019-10-22 9:03 ` [RFC][PATCH 3/6] recipetool/create_npm.py: refactor the npm recipe creation handler Jean-Marie LEMETAYER
2019-10-22 9:03 ` [RFC][PATCH 4/6] devtool/standard.py: update the append file for the npm recipes Jean-Marie LEMETAYER
2019-10-22 9:03 ` [RFC][PATCH 5/6] recipetool/create.py: replace 'latest' keyword for npm Jean-Marie LEMETAYER
2019-10-22 9:03 ` [RFC][PATCH 6/6] recipetool/create.py: remove the 'noverify' url parameter Jean-Marie LEMETAYER
2019-10-22 11:22 ` [RFC][PATCH 0/6] NPM refactoring Richard Purdie
2019-10-23 13:17 ` Jean-Marie LEMETAYER
2019-10-24 12:01 ` Stefan Herbrechtsmeier
2019-10-24 12:12 ` Alexander Kanavin
2019-10-24 12:40 ` Stefan Herbrechtsmeier
2019-10-24 12:45 ` Alexander Kanavin
2019-10-24 13:52 ` Stefan Herbrechtsmeier
2019-10-24 14:22 ` Alexander Kanavin
2019-10-24 17:44 ` Stefan Herbrechtsmeier
2019-10-24 17:58 ` Alexander Kanavin
2019-10-25 8:58 ` Stefan Herbrechtsmeier
2019-10-24 15:13 ` Jean-Marie LEMETAYER
2019-10-24 17:03 ` Stefan Herbrechtsmeier
2019-10-24 13:36 ` richard.purdie
2019-10-24 15:20 ` Jean-Marie LEMETAYER
2019-10-24 15:37 ` Adrian Bunk [this message]
2019-10-24 15:59 ` Richard Purdie
2019-10-25 8:35 ` Stefan Herbrechtsmeier
2019-10-25 11:08 ` Adrian Bunk
2019-10-27 9:58 ` Stefan Herbrechtsmeier
2019-10-24 15:13 ` Jean-Marie LEMETAYER
2019-10-24 16:18 ` Stefan Herbrechtsmeier
2019-10-25 8:01 ` André Draszik
2019-10-25 9:10 ` Stefan Herbrechtsmeier
2019-10-29 10:52 ` André Draszik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191024153740.GB9707@localhost \
--to=bunk@stusta.de \
--cc=alex.kanavin@gmail.com \
--cc=brendan.le.foll@intel.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=paul.eggleton@linux.intel.com \
--cc=rennes@savoirfairelinux.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.