Christopher Allan Webber at 2017-08-16T22:22:02Z

I really don't see how Debian can uphold its "mandatory reproducibility" standpoint and depend on an npm package...

Show all 5 replies

So I've overseen a GSoC project in Guix that tried to do the same thing, and at this point I and most of the Guix team are convinced that it just can't be done. The package structures just go far, far too deep, and are very frequently circular; the kinds of problems you have with bootstrapping a compiler to be reasonably reproducible apply here just as badly, but for everyday packages, since packages often depend on prior versions of themselves to build and the package authors are frequently not even aware of this.

Sadly, I think npm broke the hope of a free web using its system, and most of javascript uses it. I spent a long time hoping we could integrate it, and many I know have spent plenty of effort, but I'm afraid that npm, in its current design, is incompatible with a safely reproducible system.

Sadly that screws over most free software web applications. At this point our best bet, I think, is to put our hopes on languages which aren't Javascript but compile to either Javascript or the browser, and in the meanwhile to write vanilla javascript that doesn't have these constraints.

I don't like that this is my conclusion. It's holding back some of my own work.

Christopher Allan Webber at 2017-08-17T13:46:59Z

AJ Jordan, Tyng-Ruey Chuang likes this.

Hmm. Thanks for your thoughtful and honest assessment. That *is* a bummer...

AJ Jordan at 2017-08-18T19:42:37Z

since packages often depend on prior versions of themselves to build and the package authors are frequently not even aware of this

How can that possibly happen?

many of the npm packages aren't actually built directly in a clear way from their source

whaaa?

(I obviously know nothing about npm)

joeyh at 2017-08-19T18:21:00Z

Christopher Allan Webber likes this.

@joeyh npm packages include their dependencies recursively. See this blogpost for more info. npm encourages many small packages, many of them smaller than their metadata.

What happens is, a build tool includes some utility at a prior verison when it's written. But then the utility switches to using that build tool, maybe even indirectly through several other packages. Now the build tool requires the utility, and the utility requires the build tool. I don't remember the details, but that's a real example of something some Guix developers were working through IIRC, and there are many other cases of this happening.

Eventually that leads to this (I don't know the provenance of that image though!)

Christopher Allan Webber at 2017-08-20T02:12:29Z