Bug#787774: giving up on packaging OpenPGP.js

2018-09-28 Thread Antoine Beaupré 
On 2018-09-24 14:02:52, Antoine Beaupre wrote:
> On Thu, May 31, 2018 at 02:23:31PM -0400, Daniel Kahn Gillmor wrote:
>> i don't currently have the time to maintain dozens of new node packages,
>> unfortunately.
>
> Hi Daniel!
>
> I feel so sorry for you. I understand how you feel - packaging
> Javascript stuff is hard in Debian! I have never managed to do anything
> in there myself.
>
> That said, I did spend a few minutes creating a task page here, as seems
> to be the custom in the team:
>
> https://wiki.debian.org/Javascript/Nodejs/Tasks/openpgp
>
> It reused part of your RFPs (in CC) but somehow missed asmcrypto which I
> added by hand. node-rusha also seems to be missing from the current
> dependencies, so maybe that was fixed/changed.
>
> Anways - from the looks of it, there are at least seven run-time
> dependencies missing, and 26 (or more?) build-time depends missing.

I found bugs in the js-task-edit script that mis-detected some
packages. After much wrangling (details in #909753), I managed to update
the page again and we're down to twenty build and seven run-time depends
missing.

Well. That was disappointing. But at least no one started working on
those 6 build-deps, right? :)

A.

-- 
That's the kind of society I want to build. I want a guarantee - with
physics and mathematics, not with laws - that we can give ourselves
real privacy of personal communications.
 - John Gilmore

Bug#894752: Bug#787774: giving up on packaging OpenPGP.js

2018-09-24 Thread Antoine Beaupre 
On Thu, May 31, 2018 at 02:23:31PM -0400, Daniel Kahn Gillmor wrote:
> i don't currently have the time to maintain dozens of new node packages,
> unfortunately.

Hi Daniel!

I feel so sorry for you. I understand how you feel - packaging
Javascript stuff is hard in Debian! I have never managed to do anything
in there myself.

That said, I did spend a few minutes creating a task page here, as seems
to be the custom in the team:

https://wiki.debian.org/Javascript/Nodejs/Tasks/openpgp

It reused part of your RFPs (in CC) but somehow missed asmcrypto which I
added by hand. node-rusha also seems to be missing from the current
dependencies, so maybe that was fixed/changed.

Anways - from the looks of it, there are at least seven run-time
dependencies missing, and 26 (or more?) build-time depends missing.

And that's not counting the peculiarities of OpenPGP.js you found during
your work as well.

Hopefully some Debian JavaScript wizard can pick that up eventually!

A.


signature.asc
Description: PGP signature

Bug#787774: giving up on packaging OpenPGP.js

2018-05-31 Thread Daniel Kahn Gillmor 
Control: retitle 896846 RFP: node-compressjs -- fast pure-JavaScript 
compression/decompression algorithms
Control: unclaim 896846 d...@fifthhorseman.net
Control: noowner 896846
Control: retitle 894753 RFP: node-asmcrypto -- JavaScript Cryptographic Library
Control: unclaim 894753 d...@fifthhorseman.net
Control: noowner 894753
Control: retitle 894752 RFP: node-rusha -- high-performance pure-javascript 
SHA1 implementation
Control: unclaim 894752 d...@fifthhorseman.net
Control: noowner 894752
Control: retitle 787774 RFP: node-openpgp -- OpenPGP JavaScript Implementation 
(OpenPGP.js)
Control: unclaim 787774 d...@fifthhorseman.net
Control: noowner 787774

I have tried to package OpenPGP.js for debian, but i don't think i have
the capacity to do it responsibly, so i'm releasing these tickets in the
hope that someone else with more stamina (or more
confidence/understanding of the node/npm ecosystem) can take the process
over.

I still want OpenPGP.js in debian, but i won't be the one maintaining it
in its current form.  I would be very grateful to anyone who steps up to
this task.

What i've found in trying to package it is that each attempt to package
turns up several additional missing dependencies, and this process is
recursive.  Including the packages necessary to actually build each
package from source (rather than just redistributing the blobs) and run
the package's unit tests adds even more dependencies.  (i'm basing this
understanding on the output of npm2deb more than anything else -- if
that tool is incorrect, i'd love to hear more about it!)

i don't currently have the time to maintain dozens of new node packages,
unfortunately.

Furthermore, it seems that OpenPGP.js uses some slight variants of other
packages.  for example, it uses a variant of compressjs that builds a
deployable version of bzip2, rather than either making that deployable
version as part of the openpgpjs build process, or getting that change
upstreamed into compressjs.  in another example, the 3.0.x branch of
OpenPGP.js uses git master of https://github.com/indutny/elliptic,
rather than relying on a released version.

There are several tools that depend on OpenPGP.js that would be really
good to have in debian, and in general having another implementation of
OpenPGP built with the attention to software freedom, distributability,
and reproducibility that are the hallmarks of debian would be healthy
for the OpenPGP ecosystem.  So i hope someone else can pick up this
packaging work.  If you're interested and have questions about it, i'm
happy to try to consult with you, but i can't do it myself.

Many thanks to the folks on #debian-js who helped me understand just how
far over my head i'd need to go!

--dkg


signature.asc
Description: PGP signature