Hi, 2016-07-12 11:06 GMT+02:00 Moritz Muehlenhoff <[email protected]>:
> On Tue, Apr 26, 2016 at 11:32:54PM +0200, Jérémy Lal wrote: > > Update: > > https://nodejs.org/en/blog/announcements/v6-release > > """ > > In October 2016, Node.js v6 will become the LTS release and the LTS > release > > line (version 4) > > will go under maintenance mode in April 2017, meaning only critical bugs, > > critical security > > fixes and documentation updates will be permitted. > > Users should begin transitioning from v4 to v6 in October when v6 goes > into > > LTS. > > """ > > > > I guess it will be too late for next debian release - still, it's good to > > know. > > With the delayed freeze for jessie that would be doable again, right? > The nodejs LTS is more volatile than a traditional LTS (also including > bugfixes etc), but that seems ok (and is in line with e.g. security > support for Firefox ESR). > > If we include nodejs 6 with security support in jessie we would limit > it to the lifetime of that LTS branch. Is is already known how long > that will be? > The schedule [here](https://github.com/nodejs/LTS) states 2019-04-01 for the end of LTS 6 branch. I can testify, being a heavy Node.js developer / user, that nodejs 6 can already replace nodejs 4. There are no huge breaking changes and all mainstream modules are now compatible with both versions. The situation with v8 api is also much better - it shows deprecations warnings now (can you believe that ?). If time allows it, it will be best to do it. > I'm also slightly concerned about you being the single maintainer of > nodejs. Your updates in unstable have been really quick, but you'll > be on vacation/sick/busy, so I'd be really great to have a fallback > (not a blocker, though). Maybe a RFH on debian-devel would help? > Well, Jonas is also helping when i can't do the job, and more help is welcome. (For example I would very much like to use the source code of v8 shipped in Node.js as *the* source for a libv8 package, thus taking advantage of the long term support of nodejs, but i didn't find the time to do it.) > While I'm fine with nodejs in stretch, I have strong concerns about the > various node-* packages in the archive. It appears to me that the node > modules ecosystem is very volatile and I have doubts that the various > module upstreams will be able/willing to support the LTS branch of > nodejs (or security backports in general). As of today we have > already ten modules with unfixed security issues in unstable :-/ > I think we can provide nodejs as a solid for server applications, > but herding lots of poorly maintained node modules in a stable release > is stretching our resources too thin. Also, I suppose everyone is > used to npm anyway. > It does indeed requires a lot of man power and we're obviously short of it. I will happily ask to remove from testing many of the ones i uploaded myself; however (besides other obvious precautions): - some modules are very important to keep around (npm, node-gyp, node-nan, node-uglify and their dependencies to name a few) - debian is very good at packaging Node.js c++ addons (and many authors of c++ addons do terrible things on install like distributing precompiled binaries, downloading precompiled libraries...) Jérémy
_______________________________________________ Pkg-javascript-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
