[rdo-list] TripleO UI Packaging Strategy
Matthias Runge
mrunge at redhat.com
Fri Jul 22 06:35:52 UTC 2016
On 21/07/16 16:23, Honza Pokorny wrote:
> There still seems to be some confusion about what we're saying, so let
> me attempt to summarize:
>
> 1. bundling of npm dependencies (sources) undesirable but temporarily tolerated
Taking the conversation from IRC here:
I don't think we got an answer on this yet.
If you're pulling all dependencies in, and compile a package then,
you're basically creating something comparable to statically linked
binaries: If a library has a security issue, you're going to rebuild the
whole thing.
You mentioned somewhere else, dependencies are pinned: is that true for
dependencies of dependencies as well? Or would I get a different
tarball, when collecting all dependencies (and deps of deps) in a few weeks?
> node_modules/ directory --- npm downloads sources along with artifacts
> (e.g. if the package is written in coffee-script, it will contain both
> the coffee-script sources and the compiled js). And, we plan to use npm
> to also build the minified code (e.g. "npm run build").
--
Matthias Runge <mrunge at redhat.com>
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham,
Michael O'Neill, Eric Shander
More information about the rdo-list
mailing list