[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #16 from Zuzana Svetlikova --- So, I looked into it.. it generated provides just fine, and for requires it skips the uppermost node_modules directory, but still generates requires for bundled modules. Here I used %__provides_exclude_from macro. As for the nodejs- prefix, I left nodejs-yarn and removed it from yarnpkg, but maybe someone else could express their opinion on this. Spec URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn.spec SRPM URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn-1.5.1-2.fc28.src.rpm -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #17 from Neal Gompa --- The SRPM URL is invalid. Please post a working SRPM link. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #18 from Zuzana Svetlikova --- Spec URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn.spec SRPM URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn-1.5.1-2.fc29.src.rpm -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #19 from Neal Gompa --- The nodejs-yarn package has "npm()" Provides for all the bundled nodejs modules, which would confuse and break things. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #20 from Neal Gompa --- Also, the spec and SRPM don't match, at least with the changelog, though it looks like it's because you fixed the changelog entries in the spec... -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #21 from Zuzana Svetlikova --- Rebuilt with new nodejs-packaging. Spec URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn.spec SRPM URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn-1.6.0-1.fc29.src.rpm -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 Neal Gompa changed: What|Removed |Added Flags|fedora-review? |fedora-review+ --- Comment #22 from Neal Gompa --- Review notes: * Complies with packaging guidelines * Bundled dependencies are fully enumerated * Follows packaging policies for Nodejs applications * No rpmlint errors of note PACKAGE APPROVED. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #23 from Gwyn Ciesla --- (fedrepo-req-admin): The Pagure repository was created at https://src.fedoraproject.org/rpms/nodejs-yarn -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 Neal Gompa changed: What|Removed |Added Status|NEW |CLOSED Resolution|--- |RAWHIDE Last Closed||2018-07-06 07:16:22 --- Comment #24 from Neal Gompa --- Pushed into rawhide. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org/message/XL7FGC2XFDAKLT6ORDGHUUWJ6ZITML42/
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 Zuzana Svetlikova changed: What|Removed |Added Blocks||956806 (nodejs-reviews) Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=956806 [Bug 956806] Node.js Review Tracker -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 Neal Gompa changed: What|Removed |Added CC||ngomp...@gmail.com Assignee|nob...@fedoraproject.org|ngomp...@gmail.com Flags||fedora-review? --- Comment #1 from Neal Gompa --- Taking this review. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 Zuzana Svetlikova changed: What|Removed |Added Flags||needinfo?(ngomp...@gmail.co ||m) --- Comment #2 from Zuzana Svetlikova --- Any update? -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 Neal Gompa changed: What|Removed |Added Flags|needinfo?(ngomp...@gmail.co | |m) | --- Comment #3 from Neal Gompa --- ># packaging from npm is far more easier than packaging from GH > Source0: > https://registry.npmjs.org/%{npm_name}/-/%{npm_name}-%{version}.tgz Upstream does not advise that yarn sources are retrieved from npm and suggest it should be packaged from the pristine sources uploaded to GitHub. Have you verified that the sources are the same and that it is functional? >License: BSD-2-Clause We do not use SPDX identifiers in Fedora. This should be "BSD". > %files > ... > %{_bindir}/nodejs-yarn > %{_bindir}/nodejs-yarnpkg No one is going to be able to find either of these. Also, I don't know of any conflicts that exist for "%{_bindir}/yarnpkg". As for "%{_bindir}/nodejs-yarn", how are you going to make this discoverable? If you're renaming files, you also need to provide a README.Fedora that is installed into the yarn doc dir that describes our changes. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #4 from Zuzana Svetlikova --- > Upstream does not advise that yarn sources are retrieved from npm and suggest > it should be packaged from the pristine sources uploaded to GitHub. I haven't seen such information. But I admit, that among alternative install methods[1] they state "installing from npm is not recommended due to security risks" and rather provide their own tarball, which is, however, the same, contentwise. I will change URL to that source [2]. When I tried GH sources, I needed to install quite an amount of packages. To be exact: root@435574b62c7d:~/yarn# npm ls | wc -l 1725 I would like to avoid that. > Also, I don't know of any conflicts that exist for "%{_bindir}/yarnpkg". I wanted some consistency, so I renamed both yarn and yarnpkg. Readme added. [1]: https://yarnpkg.com/en/docs/install#alternatives-tab [2]: https://yarnpkg.com/downloads/1.3.2/yarn-v1.3.2.tar.gz Spec URL: https://zvetlik.fedorapeople.org/nodejs-yarn/nodejs-yarn.spec SRPM URL: https://zvetlik.fedorapeople.org/nodejs-yarn/nodejs-yarn-1.3.2-2.fc28.src.rpm -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #5 from Neal Gompa --- (In reply to Zuzana Svetlikova from comment #4) > > Upstream does not advise that yarn sources are retrieved from npm and > > suggest it should be packaged from the pristine sources uploaded to GitHub. > > I haven't seen such information. But I admit, that among alternative install > methods[1] they state "installing from npm is not recommended due to > security risks" and rather provide their own tarball, which is, however, the > same, contentwise. I will change URL to that source [2]. > > When I tried GH sources, I needed to install quite an amount of packages. To > be exact: > root@435574b62c7d:~/yarn# npm ls | wc -l > 1725 > I would like to avoid that. This means that you're bundling all those node modules, right? Then you need to declare bundled() Provides for all the components you're bundling[1]. [1]: https://fedoraproject.org/wiki/Bundled_Libraries#Requirement_if_you_bundle -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #6 from Zuzana Svetlikova --- That would be the case if I were building yarn from GH sources. In this case I just install the (already built) tarball. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 Tom Hughes changed: What|Removed |Added CC||t...@compton.nu --- Comment #7 from Tom Hughes --- That doesn't alter the fact that it is bundling those modules, but not even as proper bundled modules in a node_modules subdirectory - it seems everything has been smashed together in one file. I'm not sure what the answer is but I don't see how using the prebuilt tar ball here meets the requirement to build from source, even ignoring the bundling issue. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #8 from Tom Hughes --- Also this is installing in /usr/lib/node_modules/nodejs-yarn which should be /usr/lib/node_modules/yarn. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #9 from Zuzana Svetlikova --- So I tried packaging from GH and avoiding webpack, so all the node modules don't end up squashed in one file. Spec URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn.spec SRPM URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn-1.4.1-1.fc28.src.rpm -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #10 from Neal Gompa --- The package looks good, though there is one problem: * nodejs-yarn is producing Provides + Requires for node modules that are already bundled in the package. This would cause a lot of erroneous things to happen. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #11 from Tom Hughes --- If the bundling is done properly then the generator auto generate bundled() provides instead of normal ones? -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #12 from Tom Hughes --- Build is failing for me anyway because it's still trying to symlink global modules in %check... Might work in mock I guess. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #13 from Tom Hughes --- That does look like something has gone wrong with the dependency generator :-( -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 --- Comment #14 from Tom Hughes --- Ah it has generated both sorts of provide and also requires. That is a bug... -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
[Bug 1518262] Review Request: nodejs-yarn - Fast, reliable, and secure dependency management
https://bugzilla.redhat.com/show_bug.cgi?id=1518262 Peter Oliver changed: What|Removed |Added CC||ma...@mavit.org.uk --- Comment #15 from Peter Oliver --- (In reply to Zuzana Svetlikova from comment #4) > > Also, I don't know of any conflicts that exist for "%{_bindir}/yarnpkg". > > I wanted some consistency, so I renamed both yarn and yarnpkg. yarnpkg is an alias to yarn. Presumably, the reason that this alias exists is to provide a consistent name in places where yarn is already taken by something else, as is the case here. Consequently, I think it would be best to leave yarnpkg at /usr/bin/yarnpkg. If this were so, I can't see any reason why anyone would want to use Fedora-specific /usr/bin/nodejs-yarn in preference to works-everywhere /usr/bin/yarnpkg, so it would probably be reasonable to leave /usr/bin/nodejs-yarn unpackaged. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component ___ package-review mailing list -- package-review@lists.fedoraproject.org To unsubscribe send an email to package-review-le...@lists.fedoraproject.org