I think that the Node.js packaging guidelines would deserve some clarification with regards bundling. They make it sound like that the bundling is standard, there are autogenerated bundled provides and everything is nice and shiny.
But looking at possibly packaging Rollup, I don't share this perspective. If I followed the guidelines, then the result would be simple (actually, the license would be probably just MIT):
Name: rollup Version: 3.15.0 Release: %autorelease Summary: Next-generation ES module bundler # ISC: e.g. bundled yargs-parser License: MIT AND ISC URL: https://rollupjs.org/ Source0: https://registry.npmjs.org/%{name}/-/%{name}-%{version}.tgz BuildRequires: nodejs BuildRequires: nodejs-packaging BuildArch: noarch ExclusiveArch: %{nodejs_arches} noarch %description Rollup is a module bundler for JavaScript which compiles small pieces of code into something larger and more complex, such as a library or application. It uses the standardized ES module format for code, instead of previous idiosyncratic solutions such as CommonJS and AMD. ES modules let you freely and seamlessly combine the most useful individual functions from your favorite libraries. Rollup can optimize ES modules for faster native loading in modern browsers, or output a legacy module format allowing ES module workflows today. %prep %autosetup -n package %install install -d %{buildroot}%{nodejs_sitelib}/%{name} cp -r package.json dist/ %{buildroot}%{nodejs_sitelib}/%{name} install -d %{buildroot}%{_bindir} ln -s ../lib/node_modules/%{name}/dist/bin/rollup %{buildroot}%{_bindir}/rollup %check %{__nodejs} -e 'require("./")' %files %license LICENSE.md %doc README.md %{nodejs_sitelib}/%{name} %{_bindir}/rollup %changelog %autochangelog
Unfortunately, the output package does not provide any bundled provide what so ever:
bundled
$ rpm -qpP /var/lib/mock/fedora-rawhide-x86_64/result/rollup-3.15.0-0.fc38.noarch.rpm npm(rollup) = 3.15.0 rollup = 3.15.0-0.fc38
despite the Rollup binary, being created by Rollup itself, is composed from the various dev dependencies.
I understand that on one hand, the resulting file is javascript and human readable and can be reviewed. OTOH, we should know more about the possible vulnerabilities of the original libraries and I believe that this always was Fedora position.
If the argument that the output is "human readable and auditable javascript" is strong one then it should be clarified, that one really does not need to bother with bundled provides and what not.
But if the current general bundling policies and reasons behind them are the stronger argument, then the guidelines should stress this. And consequently possible many packages should be fixed (as an example, I was looking at "typescript" package, which does not provide any bundled provides, but it should IMHO).
CC @sgallagh, @carlwgeorge
I should probably clarify the broader context. I am maintainer of rubygem-actioncable, where there is attempt to rebuild bundled JS to fulfill the guidelines:
https://src.fedoraproject.org/rpms/rubygem-actioncable/blob/17cd9292126b92dae3ae88666dce515e62415bec/f/rubygem-actioncable.spec#_44-48 https://src.fedoraproject.org/rpms/rubygem-actioncable/blob/17cd9292126b92dae3ae88666dce515e62415bec/f/rubygem-actioncable.spec#_68-79
However there are two caveats:
BuildRequires: rubygem(coffee-script)
The original code to build the javascripts was replaced by Rollup (and scripts bundled by Rollup). However, I wonder what would be point of the rebuild if it is fine to ship such files in other places? If other libraries does not list any bundled provides, neither we would need. But it also has license implications (as already shown above).
BTW there are related JavaScript guidelines:
https://docs.fedoraproject.org/en-US/packaging-guidelines/JavaScript/#_bundling_of_other_libraries
which makes no exception to JavaScript
Log in to comment on this ticket.