Spec URL: https://zvetlik.fedorapeople.org/nodejs-yarn/nodejs-yarn.spec SRPM URL: https://zvetlik.fedorapeople.org/nodejs-yarn/nodejs-yarn-1.3.2-1.fc28.src.rpm Description: Fast, reliable, and secure dependency management Fedora Account System Username: zvetlik
Taking this review.
Any update?
># packaging from npm is far more easier than packaging from GH > Source0: https://registry.npmjs.org/%{npm_name}/-/%{npm_name}-%{version}.tgz Upstream does not advise that yarn sources are retrieved from npm and suggest it should be packaged from the pristine sources uploaded to GitHub. Have you verified that the sources are the same and that it is functional? >License: BSD-2-Clause We do not use SPDX identifiers in Fedora. This should be "BSD". > %files > ... > %{_bindir}/nodejs-yarn > %{_bindir}/nodejs-yarnpkg No one is going to be able to find either of these. Also, I don't know of any conflicts that exist for "%{_bindir}/yarnpkg". As for "%{_bindir}/nodejs-yarn", how are you going to make this discoverable? If you're renaming files, you also need to provide a README.Fedora that is installed into the yarn doc dir that describes our changes.
> Upstream does not advise that yarn sources are retrieved from npm and suggest it should be packaged from the pristine sources uploaded to GitHub. I haven't seen such information. But I admit, that among alternative install methods[1] they state "installing from npm is not recommended due to security risks" and rather provide their own tarball, which is, however, the same, contentwise. I will change URL to that source [2]. When I tried GH sources, I needed to install quite an amount of packages. To be exact: root@435574b62c7d:~/yarn# npm ls | wc -l 1725 I would like to avoid that. > Also, I don't know of any conflicts that exist for "%{_bindir}/yarnpkg". I wanted some consistency, so I renamed both yarn and yarnpkg. Readme added. [1]: https://yarnpkg.com/en/docs/install#alternatives-tab [2]: https://yarnpkg.com/downloads/1.3.2/yarn-v1.3.2.tar.gz Spec URL: https://zvetlik.fedorapeople.org/nodejs-yarn/nodejs-yarn.spec SRPM URL: https://zvetlik.fedorapeople.org/nodejs-yarn/nodejs-yarn-1.3.2-2.fc28.src.rpm
(In reply to Zuzana Svetlikova from comment #4) > > Upstream does not advise that yarn sources are retrieved from npm and suggest it should be packaged from the pristine sources uploaded to GitHub. > > I haven't seen such information. But I admit, that among alternative install > methods[1] they state "installing from npm is not recommended due to > security risks" and rather provide their own tarball, which is, however, the > same, contentwise. I will change URL to that source [2]. > > When I tried GH sources, I needed to install quite an amount of packages. To > be exact: > root@435574b62c7d:~/yarn# npm ls | wc -l > 1725 > I would like to avoid that. This means that you're bundling all those node modules, right? Then you need to declare bundled() Provides for all the components you're bundling[1]. [1]: https://fedoraproject.org/wiki/Bundled_Libraries#Requirement_if_you_bundle
That would be the case if I were building yarn from GH sources. In this case I just install the (already built) tarball.
That doesn't alter the fact that it is bundling those modules, but not even as proper bundled modules in a node_modules subdirectory - it seems everything has been smashed together in one file. I'm not sure what the answer is but I don't see how using the prebuilt tar ball here meets the requirement to build from source, even ignoring the bundling issue.
Also this is installing in /usr/lib/node_modules/nodejs-yarn which should be /usr/lib/node_modules/yarn.
So I tried packaging from GH and avoiding webpack, so all the node modules don't end up squashed in one file. Spec URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn.spec SRPM URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn-1.4.1-1.fc28.src.rpm
The package looks good, though there is one problem: * nodejs-yarn is producing Provides + Requires for node modules that are already bundled in the package. This would cause a lot of erroneous things to happen.
If the bundling is done properly then the generator auto generate bundled() provides instead of normal ones?
Build is failing for me anyway because it's still trying to symlink global modules in %check... Might work in mock I guess.
That does look like something has gone wrong with the dependency generator :-(
Ah it has generated both sorts of provide and also requires. That is a bug...
(In reply to Zuzana Svetlikova from comment #4) > > Also, I don't know of any conflicts that exist for "%{_bindir}/yarnpkg". > > I wanted some consistency, so I renamed both yarn and yarnpkg. yarnpkg is an alias to yarn. Presumably, the reason that this alias exists is to provide a consistent name in places where yarn is already taken by something else, as is the case here. Consequently, I think it would be best to leave yarnpkg at /usr/bin/yarnpkg. If this were so, I can't see any reason why anyone would want to use Fedora-specific /usr/bin/nodejs-yarn in preference to works-everywhere /usr/bin/yarnpkg, so it would probably be reasonable to leave /usr/bin/nodejs-yarn unpackaged.
So, I looked into it.. it generated provides just fine, and for requires it skips the uppermost node_modules directory, but still generates requires for bundled modules. Here I used %__provides_exclude_from macro. As for the nodejs- prefix, I left nodejs-yarn and removed it from yarnpkg, but maybe someone else could express their opinion on this. Spec URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn.spec SRPM URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn-1.5.1-2.fc28.src.rpm
The SRPM URL is invalid. Please post a working SRPM link.
Spec URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn.spec SRPM URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn-1.5.1-2.fc29.src.rpm
The nodejs-yarn package has "npm()" Provides for all the bundled nodejs modules, which would confuse and break things.
Also, the spec and SRPM don't match, at least with the changelog, though it looks like it's because you fixed the changelog entries in the spec...
Rebuilt with new nodejs-packaging. Spec URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn.spec SRPM URL: https://fedorapeople.org/~zvetlik/nodejs-yarn/nodejs-yarn-1.6.0-1.fc29.src.rpm
Review notes: * Complies with packaging guidelines * Bundled dependencies are fully enumerated * Follows packaging policies for Nodejs applications * No rpmlint errors of note PACKAGE APPROVED.
(fedrepo-req-admin): The Pagure repository was created at https://src.fedoraproject.org/rpms/nodejs-yarn
Pushed into rawhide.