On 2025-04-01 22:58:54 +0200 (+0200), Thomas Goirand wrote:
On 4/1/25 18:38, Jeremy Stanley wrote: [...] The XStatic package thing is not ideal, but it at least fixes the issue of embedding libs, and offers downstream distribution an easy way to use whatever is already shipped by the distribution. So it has its own merits. [...]
Yes, the main problem I have with the xstatic approach is that OpenStack is still shipping copies of (arbitrarily old) Javascript libs we lack the bandwidth and coordination to track potential vulnerabilities in. But at least their versions and origin are (relatively) clear, so not as bad.
Ideally, these dependencies would be sourced at install (or at least build) time from their own upstream release artifacts either securely over the Internet or from locally-supplied copies.
Well, that's part of the problem. As you may know, it's forbidden in many distribution, to download assets from the internet at build time in a package. It is at least forbidden in Red Hat, Ubuntu and Debian. [...]
Which is why I mentioned that they should also be capable of utilizing locally-supplied copies instead, e.g. those provided by separate packages in GNU/Linux distributions. The point is to make it clear what versions of dependencies are expected and their provenance, without creating even more burden for distro package maintainers who would otherwise need to unvendor/debundle things shipped in the project's source code. As for Javascript dependency hell making projects unpackagable, yes that's what makes the entire NPM ecosystem an attractive nuisance for software development. Unfortunately, I don't have any great solutions to that problem. -- Jeremy Stanley