[OE-core] [RFC][PATCH 0/6] NPM refactoring
Adrian Bunk
bunk at stusta.de
Thu Oct 24 15:37:40 UTC 2019
On Thu, Oct 24, 2019 at 02:12:43PM +0200, Alexander Kanavin wrote:
> On Thu, 24 Oct 2019 at 14:02, Stefan Herbrechtsmeier <
> stefan at herbrechtsmeier.net> wrote:
>
> > @Richard: What is your opinion about the per recipe dependency?
> > Typically OE use one recipe per project. The NPM based solution handle a
> > project and all dependencies via one recipe.
>
> I don't think it's at all realistic to stick to the 'one recipe per
> component' in node.js world. A typical 'npm install' can pull down
> hundreds, or over a thousand dependencies, it's not feasible to have a
> recipe for each.
Debian has for the perl/python/node/go/rust/haskell ecosystems
one recipe per component, with ~ 1k recipes each.
> I very much welcome a solution that uses 'npm install' in a way that
> preserves offline builds, and integrity/reproducibility of downloads.
> License management should be also handled by npm, and if it isn't, then we
> need to work with the upstream to address it.
How will CVE checking and security support work in such a setup?
Last time I looked at Rust I was wondering whether a vendored copy
of the OpenSSL sources was being used.
If git-lfs-native might run during during fetch, it would also be good
if relevant CVEs in the Go libraries it uses get fixed.
> Alex
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
More information about the Openembedded-core
mailing list