Debian Bug report logs - #857986
npm: package is 3 years old (consider removal?)

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alex Henry <tukkek@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: npm: This pakcage is 3 years old? (consider removal)

Date: Thu, 16 Mar 2017 19:47:30 -0300

Package: npm
Version: 1.4.21+ds-2
Severity: grave
Justification: renders package unusable

Sorry for opening such a non-standard bug report
but this page leads me to believe that the most
up-to-date version we have for this package on
Debian is from 2014 (see changelog on the menu on
the right side of the screen):

https://packages.debian.org/sid/npm

I don't see any indication anywhere that there is
a reason or justification for this.

Node.js and NPM have become standard tools for web
development and the *extremely outdated* version
proved by this package siomply doesn't work anymore.

I suggest this package be entirely removed to avoid
well-meaning users from comiong across all sorts of
bugs and errors while using npm due to a lack of update
in what has become an essential tool. If Debian maintainers
can't keep this up-to-date, this package being here
probably does more harm than good to your average
user who expects it to "Just Work". I wouldn't say this
if I didn't know for a fact that this outdated version
simply doesn't work anymore with the package.json files
that are on the NPM repository (try installing polymer,
for example: npm install -g polymer ).

Node.js provides a single package (for Node and NPM) in
their own repository. I'm not sure if any efforct can be
done to bring this package version into Debian's
repositories but if that's not possible, I believe that
having a 3-year old version is doing more harm than good
and that it is better for Debian not to offer such - and
have users install from the official repository instead
or from the website Linux download.

Repository insall instructions 
https://nodejs.org/en/download/package-manager/#debian-and-ubuntu-based-linux-distributions

Simple download from website
https://nodejs.org/en/

Again, I doubt this years-old package here is doing 
any good for most users, and I imagine it's doing more
harm since people might not even noticed their NPM tool
is extremely outdated, which will obviously lead to hard
to understand errors.


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages npm depends on:
pn  node-abbrev               <none>
pn  node-ansi                 <none>
pn  node-ansi-color-table     <none>
pn  node-archy                <none>
pn  node-block-stream         <none>
pn  node-fstream              <none>
pn  node-fstream-ignore       <none>
pn  node-github-url-from-git  <none>
pn  node-glob                 <none>
pn  node-graceful-fs          <none>
pn  node-gyp                  <none>
pn  node-inherits             <none>
pn  node-ini                  <none>
pn  node-lockfile             <none>
pn  node-lru-cache            <none>
pn  node-minimatch            <none>
pn  node-mkdirp               <none>
pn  node-nopt                 <none>
pn  node-npmlog               <none>
pn  node-once                 <none>
pn  node-osenv                <none>
pn  node-read                 <none>
pn  node-read-package-json    <none>
pn  node-request              <none>
pn  node-retry                <none>
pn  node-rimraf               <none>
pn  node-semver               <none>
pn  node-sha                  <none>
pn  node-slide                <none>
pn  node-tar                  <none>
pn  node-underscore           <none>
pn  node-which                <none>
ii  nodejs                    7.7.3-1nodesource1~jessie1

npm recommends no packages.

npm suggests no packages.

Message #10 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Ben Finney <bignose@debian.org>

To: Alex Henry <tukkek@gmail.com>

Cc: 857986@bugs.debian.org

Subject: Bug#857986: npm: This pakcage is 3 years old? (consider removal)

Date: Fri, 17 Mar 2017 10:30:04 +1100

Control: tags -1 + moreinfo

Alex Henry <tukkek@gmail.com> wrote:
> Severity: grave
> Justification: renders package unusable

Thank you for considering the severity of bug reports. You claim the
package is unusable in general, but I don't see anything in your
description that supports this.

The only description of package behaviour you give is:

> […] the *extremely outdated* version
> proved by this package siomply doesn't work anymore.

In what specific way does this package not work anymore? What should it
do at version 1.4.21, what does it do instead on Debian? There must be
some *specific, actionable* behaviour where the package behaves in a
buggy way at version 1.4.21.

So far this seems to be in fact a request to package a newer version,
which is a “Severity: wishlist” request.

-- 
 \
  `\
_o__) Ben Finney <bignose@debian.org>

Message #17 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <kapouer@melix.org>

To: Ben Finney <bignose@debian.org>, 857986@bugs.debian.org

Cc: Alex Henry <tukkek@gmail.com>

Subject: Re: Bug#857986: npm: This pakcage is 3 years old? (consider removal)

Date: Fri, 17 Mar 2017 00:50:11 +0100

2017-03-17 0:30 GMT+01:00 Ben Finney <bignose@debian.org>:
> Control: tags -1 + moreinfo
>
> Alex Henry <tukkek@gmail.com> wrote:
>> Severity: grave
>> Justification: renders package unusable
>
> Thank you for considering the severity of bug reports. You claim the
> package is unusable in general, but I don't see anything in your
> description that supports this.
>
> The only description of package behaviour you give is:
>
>> […] the *extremely outdated* version
>> proved by this package siomply doesn't work anymore.
>
> In what specific way does this package not work anymore? What should it
> do at version 1.4.21, what does it do instead on Debian? There must be
> some *specific, actionable* behaviour where the package behaves in a
> buggy way at version 1.4.21.
>
> So far this seems to be in fact a request to package a newer version,
> which is a “Severity: wishlist” request.

I should have done this long before, but npm should not stay in testing:
- `npm install thisorthatmodule` is failing for a growing list of modules
- npmjs.org might drop support for this old client at anytime now
- it's not supportable (security-wise) and i'd advise against using it

I'll use block this bug by the handful of packages depending on npm.

Jérémy

Message #26 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Alex Henry <tukkek@gmail.com>

To: 857986@bugs.debian.org

Subject: Re: Bug#857986: npm: This pakcage is 3 years old? (consider removal)

Date: Thu, 16 Mar 2017 21:24:02 -0300

[Message part 1 (text/plain, inline)]

I actually did give a use case for this: try installing polymer as per the
instruction given on my initial report. It just doesn't work, as Jeremy
states. NPM is a growing, dynamic repository and you'll be hard pressed to
find any major package that is 3 years old and 100% compatible with the
current version of this package in Debian.

So yes, as I said before, and I stand by it, the fact it is so old and the
NPM repository has continued to advance does, indeed "render [the] package
unusable". Or as Jeremy puts it: "npm install thisorthatmodule` is failing
for a growing list of modules". This is the most basic NPM operation and it
is failing 100% of the time in many cases.

Of course this can be fixed by updating the NPM version to the current
version, as Ben says, but it shouldn't demote the priority to "wishlist":
there's a real problem here with possible security implication (re Jeremy)
and a major loss of usability (yes, to the point of "renders package
unusable"). But anyway, if it was a simple thing to do, I'm sure someone
would have done it at some point after 2014, so my first suggestion was to
consider removal altogether.
Jeremy, thank you for following through with this. I know asking for
package removal is a big thing in Debian but if NPM is to stay, it needs to
be up-to-date, and if it isn't, it better that it be removed. I think
that's the best choice for now, thanks again!

On 16 March 2017 at 20:50, Jérémy Lal <kapouer@melix.org> wrote:

> 2017-03-17 0:30 GMT+01:00 Ben Finney <bignose@debian.org>:
> > Control: tags -1 + moreinfo
> >
> > Alex Henry <tukkek@gmail.com> wrote:
> >> Severity: grave
> >> Justification: renders package unusable
> >
> > Thank you for considering the severity of bug reports. You claim the
> > package is unusable in general, but I don't see anything in your
> > description that supports this.
> >
> > The only description of package behaviour you give is:
> >
> >> […] the *extremely outdated* version
> >> proved by this package siomply doesn't work anymore.
> >
> > In what specific way does this package not work anymore? What should it
> > do at version 1.4.21, what does it do instead on Debian? There must be
> > some *specific, actionable* behaviour where the package behaves in a
> > buggy way at version 1.4.21.
> >
> > So far this seems to be in fact a request to package a newer version,
> > which is a “Severity: wishlist” request.
>
> I should have done this long before, but npm should not stay in testing:
> - `npm install thisorthatmodule` is failing for a growing list of modules
> - npmjs.org might drop support for this old client at anytime now
> - it's not supportable (security-wise) and i'd advise against using it
>
> I'll use block this bug by the handful of packages depending on npm.
>
> Jérémy
>
>

[Message part 2 (text/html, inline)]

Message #35 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@debian.org>

To: Jérémy Lal <kapouer@melix.org>, 857986@bugs.debian.org

Cc: Ben Finney <bignose@debian.org>, Alex Henry <tukkek@gmail.com>, 857993@bugs.debian.org, 857994@bugs.debian.org, 857989@bugs.debian.org, 857988@bugs.debian.org, 857990@bugs.debian.org, 857991@bugs.debian.org

Subject: Re: Bug#857986: npm: This pakcage is 3 years old? (consider removal)

Date: Sun, 19 Mar 2017 22:59:18 +0200

Control: severity -1 grave
Contraol: tags -1 stretch sid

On Fri, Mar 17, 2017 at 12:50:11AM +0100, Jérémy Lal wrote:
>...
> I should have done this long before, but npm should not stay in testing:
> - `npm install thisorthatmodule` is failing for a growing list of modules
> - npmjs.org might drop support for this old client at anytime now
> - it's not supportable (security-wise) and i'd advise against using it
> 
> I'll use block this bug by the handful of packages depending on npm.

I'm raising the severity of these bugs accordingly.

Note that a missing dependency is also RC, so something like
  npm2deb: Please Recommend npm instead of Depend
does not sound like an option.

Removing npm from stretch implies that packages that are non-functional 
without npm also have to be removed from stretch.

> Jérémy

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Message #40 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 857986@bugs.debian.org, 857993@bugs.debian.org, Debian Release <debian-release@lists.debian.org>

Subject: Please don't remove npm from Stretch

Date: Fri, 24 Mar 2017 16:26:25 +0100

Hi,

I very much don't agree with the set of arguments in the #857986 bug
report. Npm can be used for a large amount of things, of which may not
include downloading and installing the very latest version of a
Javascript module. Therefore, the package is still useable for a wide
set of functionalities within the scope of Debian and the set of package
we have (for example, for rebuilding).

Also, removing such a non-leaf package at this point of the release is a
way too late. IMO, a bug should have been opened a long time ago asking
for an upgrade of the package.

Last, at this point in time, I believe we should discuss the issue with
the release team. They may agree, for example, that we upgrade the
package to a newer version (this is unlikely, but it is up to them to
tell). They may don't agree that we "fix" so many source package to
remove the build-dependency. Anyway, the solution should be discuss with
them. Therefore, I'm CC-ing the release team.

In any case, once Stretch is released, we must make sure such an
important package gets better maintenance, and follow upstream closely.

Cheers,

Thomas Goirand (zigo)

Message #45 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>

To: Thomas Goirand <zigo@debian.org>, 857986@bugs.debian.org, 857993@bugs.debian.org, Debian Release <debian-release@lists.debian.org>, Jérémy Lal <kapouer@melix.org>

Subject: Re: Please don't remove npm from Stretch

Date: Mon, 03 Apr 2017 14:45:00 +0000

[Message part 1 (text/plain, inline)]

Thomas Goirand:
> Hi,
> 
> [...]
> 

> Also, removing such a non-leaf package at this point of the release is a
> way too late. IMO, a bug should have been opened a long time ago asking
> for an upgrade of the package.
> 


Hi,

I would (also) strongly prefer, if we got better at finding and dealing
with things like outside the freeze.  That said...

In the concrete case, the removal does not look too bad at a metadata
level.  Assuming qtwebchannel5-examples can drop its dependency, the
rest can be removed from testing without affecting any other package
than those listed below.

"""
$ dak rm -nR -s testing npm
[...]
Checking reverse dependencies...
# Broken Depends:
npm2deb: npm2deb
qtwebchannel-opensource-src: qtwebchannel5-examples [...]

# Broken Build-Depends:
ruby-license-finder: npm
"""

> Last, at this point in time, I believe we should discuss the issue with
> the release team. They may agree, for example, that we upgrade the
> package to a newer version (this is unlikely, but it is up to them to
> tell). They may don't agree that we "fix" so many source package to
> remove the build-dependency. Anyway, the solution should be discuss with
> them. Therefore, I'm CC-ing the release team.
> 

From my PoV; upgrade is unlikely to be accepted.  Removal appears to be
doable, so the real question is:

 * Is npm so out of date that it is release critical?

If yes, fix qtwebchannel-opensource-src (etc.) and remove the rest from
stretch.  If no, tag it -ignore and move on.  To be honest, I know next
to nothing about npm and its state, so I will apply "Do-cracy" to this
decision.
  AFAICT, Jérémy Lal have done all of the uploads since 2013 and is the
sole committer to the packaging between 2013-08 to 2014-08[1], which
pretty much makes Jérémy the closest person to an "active do'er" in this
case.

@Jérémy Lal: Your call:

 * Are you willing to support npm for 3-5 years in stretch given its
   current state?
   - If yes, then tag the npm bug stretch-ignore or downgrade it
   - If no, then we will effectuate the removal before the release.

Thanks,
~Niels

[1] https://anonscm.debian.org/cgit/pkg-javascript/npm.git/log/

[signature.asc (application/pgp-signature, attachment)]

Message #50 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <kapouer@melix.org>

To: Niels Thykier <niels@thykier.net>

Cc: Thomas Goirand <zigo@debian.org>, 857986@bugs.debian.org, 857993@bugs.debian.org, Debian Release <debian-release@lists.debian.org>, Jérémy Lal <kapouer@melix.org>

Subject: Re: Please don't remove npm from Stretch

Date: Mon, 3 Apr 2017 17:31:52 +0200

2017-04-03 16:45 GMT+02:00 Niels Thykier <niels@thykier.net>:
> Thomas Goirand:
>> Hi,
>>
>> [...]
>>
>
>> Also, removing such a non-leaf package at this point of the release is a
>> way too late. IMO, a bug should have been opened a long time ago asking
>> for an upgrade of the package.
>>
>
>
> Hi,
>
> I would (also) strongly prefer, if we got better at finding and dealing
> with things like outside the freeze.  That said...
>
> In the concrete case, the removal does not look too bad at a metadata
> level.  Assuming qtwebchannel5-examples can drop its dependency, the
> rest can be removed from testing without affecting any other package
> than those listed below.
>
> """
> $ dak rm -nR -s testing npm
> [...]
> Checking reverse dependencies...
> # Broken Depends:
> npm2deb: npm2deb
> qtwebchannel-opensource-src: qtwebchannel5-examples [...]
>
> # Broken Build-Depends:
> ruby-license-finder: npm
> """
>
>> Last, at this point in time, I believe we should discuss the issue with
>> the release team. They may agree, for example, that we upgrade the
>> package to a newer version (this is unlikely, but it is up to them to
>> tell). They may don't agree that we "fix" so many source package to
>> remove the build-dependency. Anyway, the solution should be discuss with
>> them. Therefore, I'm CC-ing the release team.
>>
>
> From my PoV; upgrade is unlikely to be accepted.  Removal appears to be
> doable, so the real question is:
>
>  * Is npm so out of date that it is release critical?
>
> If yes, fix qtwebchannel-opensource-src (etc.) and remove the rest from
> stretch.  If no, tag it -ignore and move on.  To be honest, I know next
> to nothing about npm and its state, so I will apply "Do-cracy" to this
> decision.
>   AFAICT, Jérémy Lal have done all of the uploads since 2013 and is the
> sole committer to the packaging between 2013-08 to 2014-08[1], which
> pretty much makes Jérémy the closest person to an "active do'er" in this
> case.
>
> @Jérémy Lal: Your call:
>
>  * Are you willing to support npm for 3-5 years in stretch given its
>    current state?
>    - If yes, then tag the npm bug stretch-ignore or downgrade it
>    - If no, then we will effectuate the removal before the release.

I agree completely with the above analysis, and I'm not willing to support
the current npm version that is in testing.

To others, preoccupied that npm won't be available in debian:
- please help with npm maintenance
- hopefully we'll make an updated version installable through debian backports,

Jérémy.

Message #55 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>

To: Jérémy Lal <kapouer@melix.org>

Cc: Thomas Goirand <zigo@debian.org>, 857986@bugs.debian.org, 857993@bugs.debian.org, Debian Release <debian-release@lists.debian.org>, 857994@bugs.debian.org, 857990@bugs.debian.org, 857991@bugs.debian.org

Subject: Re: Please don't remove npm from Stretch

Date: Tue, 04 Apr 2017 12:27:00 +0000

[Message part 1 (text/plain, inline)]

Jérémy Lal:
> 2017-04-03 16:45 GMT+02:00 Niels Thykier <niels@thykier.net>:
>> [...]
>>
>> @Jérémy Lal: Your call:
>>
>>  * Are you willing to support npm for 3-5 years in stretch given its
>>    current state?
>>    - If yes, then tag the npm bug stretch-ignore or downgrade it
>>    - If no, then we will effectuate the removal before the release.
> 
> I agree completely with the above analysis, and I'm not willing to support
> the current npm version that is in testing.
> 
> To others, preoccupied that npm won't be available in debian:
> - please help with npm maintenance
> - hopefully we'll make an updated version installable through debian backports,
> 
> Jérémy.
> 

Thanks for the reply.  Accordingly, I have tagged the following bugs:

 * is-blocker: #857994 (qtwebchannel-opensource-src)
 * will-remove: #857986, #857990, #857991

Note for ruby-license-finder + npm2deb: If the package can trivially
drop the npm dependency, it is welcome to stay in stretch.

@QT/KDE maintainers: A timely upload for #857994 would greatly be
appreciated, so we can finish up this soon.

Thanks,
~Niels

[signature.asc (application/pgp-signature, attachment)]

Message #60 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Riku Voipio <riku.voipio@iki.fi>

To: Thomas Goirand <zigo@debian.org>, 857986@bugs.debian.org, 857993@bugs.debian.org, Debian Release <debian-release@lists.debian.org>, Jérémy Lal <kapouer@melix.org>

Subject: npm: This pakcage is 3 years old? (consider removal)

Date: Fri, 19 May 2017 10:07:11 +0000

Jérémy Lal:
> To others, preoccupied that npm won't be available in debian:
> - please help with npm maintenance
> - hopefully we'll make an updated version installable through debian backports

Are there any complications to building npm as part of nodejs package?

Riku

Message #65 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <kapouer@melix.org>

To: Riku Voipio <riku.voipio@iki.fi>, 857986@bugs.debian.org

Cc: Thomas Goirand <zigo@debian.org>, 857993@bugs.debian.org, Debian Release <debian-release@lists.debian.org>

Subject: Re: Bug#857986: npm: This pakcage is 3 years old? (consider removal)

Date: Fri, 19 May 2017 12:15:32 +0200

[Message part 1 (text/plain, inline)]

2017-05-19 12:07 GMT+02:00 Riku Voipio <riku.voipio@iki.fi>:

> Jérémy Lal:
> > To others, preoccupied that npm won't be available in debian:
> > - please help with npm maintenance
> > - hopefully we'll make an updated version installable through debian
> backports
>
> Are there any complications to building npm as part of nodejs package?
>

There are complications to distributing npm: it depends on a LOT of
modules, which
means it requires a lot of debian-maintainer time to package, and update.
Using the upstream nodejs tarball as source for npm or the upstream npm
tarball
does not change anything about that.

Jérémy

[Message part 2 (text/html, inline)]

Message #70 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Riku Voipio <riku.voipio@iki.fi>

To: Jérémy Lal <kapouer@melix.org>

Cc: 857986@bugs.debian.org

Subject: Re: Bug#857986: npm: This pakcage is 3 years old? (consider removal)

Date: Fri, 19 May 2017 14:11:30 +0000

On Fri, May 19, 2017 at 12:15:32PM +0200, Jérémy Lal wrote:
> 2017-05-19 12:07 GMT+02:00 Riku Voipio <riku.voipio@iki.fi>:
> 
> > Jérémy Lal:
> > > To others, preoccupied that npm won't be available in debian:
> > > - please help with npm maintenance
> > > - hopefully we'll make an updated version installable through debian
> > backports
> >
> > Are there any complications to building npm as part of nodejs package?
> >

> There are complications to distributing npm: it depends on a LOT of
> modules, which
> means it requires a lot of debian-maintainer time to package, and update.
> Using the upstream nodejs tarball as source for npm or the upstream npm
> tarball
> does not change anything about that.

Ok, thanks for clarifying.

Riku

Message #75 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@onenetbeyond.org>

To: Jérémy Lal <kapouer@melix.org>, 857986@bugs.debian.org, Riku Voipio <riku.voipio@iki.fi>

Cc: 857993@bugs.debian.org, Thomas Goirand <zigo@debian.org>, Debian Release <debian-release@lists.debian.org>

Subject: Re: [Pkg-javascript-devel] Bug#857986: npm: This pakcage is 3 years old? (consider removal)

Date: Mon, 22 May 2017 16:57:35 +0530

[Message part 1 (text/plain, inline)]

On വെള്ളി 19 മെയ് 2017 03:45 വൈകു, Jérémy Lal wrote:
> There are complications to distributing npm: it depends on a LOT of
> modules, which
> means it requires a lot of debian-maintainer time to package, and update.

https://wiki.debian.org/Javascript/Nodejs/Tasks/npm ie, roughly about 78
new modules to package. If one person were to work full time, I think
about 10-15 days time.

[signature.asc (application/pgp-signature, attachment)]

Message #80 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <jonas@jones.dk>

To: 857986@bugs.debian.org, Jérémy Lal <kapouer@melix.org>, Pirate Praveen <praveen@onenetbeyond.org>, Riku Voipio <riku.voipio@iki.fi>

Cc: 857993@bugs.debian.org, Thomas Goirand <zigo@debian.org>, Debian Release <debian-release@lists.debian.org>

Subject: Re: Bug#857986: [Pkg-javascript-devel] Bug#857986: npm: This pakcage is 3 years old? (consider removal)

Date: Mon, 22 May 2017 15:11:56 +0200

[Message part 1 (text/plain, inline)]

Quoting Pirate Praveen (2017-05-22 13:27:35)
> On വെള്ളി 19 മെയ് 2017 03:45 വൈകു, Jérémy Lal wrote:
>> There are complications to distributing npm: it depends on a LOT of 
>> modules, which means it requires a lot of debian-maintainer time to 
>> package, and update.
>
> https://wiki.debian.org/Javascript/Nodejs/Tasks/npm ie, roughly about 
> 78 new modules to package. If one person were to work full time, I 
> think about 10-15 days time.

...for the _initial_ packaging work.

We are package *maintainers*.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

Message #85 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@onenetbeyond.org>

To: Jonas Smedegaard <jonas@jones.dk>, 857986@bugs.debian.org, Jérémy Lal <kapouer@melix.org>, Riku Voipio <riku.voipio@iki.fi>

Cc: 857993@bugs.debian.org, Thomas Goirand <zigo@debian.org>, Debian Release <debian-release@lists.debian.org>

Subject: Re: Bug#857986: [Pkg-javascript-devel] Bug#857986: npm: This pakcage is 3 years old? (consider removal)

Date: Mon, 22 May 2017 19:40:32 +0530

[Message part 1 (text/plain, inline)]

On തിങ്കള്‍ 22 മെയ് 2017 06:41 വൈകു, Jonas Smedegaard wrote:
> ...for the _initial_ packaging work.
> 
> We are package *maintainers*.

If you have not realized, we are discussing about maintaining an
existing package. I think you have also not realized the meaning of team
maintained packages. The person who did the initial package need not be
the maintainer of the packager for ever. When there is enough interest
in the package, it will remain maintained else it gets removed.

[signature.asc (application/pgp-signature, attachment)]

Message #90 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <kapouer@melix.org>

To: Pirate Praveen <praveen@onenetbeyond.org>

Cc: Jonas Smedegaard <jonas@jones.dk>, 857986@bugs.debian.org, Riku Voipio <riku.voipio@iki.fi>, 857993@bugs.debian.org, Thomas Goirand <zigo@debian.org>, Debian Release <debian-release@lists.debian.org>

Subject: Re: Bug#857986: [Pkg-javascript-devel] Bug#857986: npm: This pakcage is 3 years old? (consider removal)

Date: Mon, 22 May 2017 16:19:28 +0200

[Message part 1 (text/plain, inline)]

2017-05-22 16:10 GMT+02:00 Pirate Praveen <praveen@onenetbeyond.org>:

> On തിങ്കള്‍ 22 മെയ് 2017 06:41 വൈകു, Jonas Smedegaard wrote:
> > ...for the _initial_ packaging work.
> >
> > We are package *maintainers*.
>
> If you have not realized, we are discussing about maintaining an
> existing package. I think you have also not realized the meaning of team
> maintained packages. The person who did the initial package need not be
> the maintainer of the packager for ever. When there is enough interest
> in the package, it will remain maintained else it gets removed.
>

I did the initial npm packaging. At that moment i was optimistic upstream
wouldn't add or change dependencies too much. I was wrong, npm is
constantly adding/removing modules through the months and years, requiring
a lot of maintainer work to keep up.
I think Jonas was pointing out that updating npm today won't actually solve
any issue regarding npm maintenance. Some company should fund that work.

Jérémy

[Message part 2 (text/html, inline)]

Message #95 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 857986@bugs.debian.org, 857993@bugs.debian.org, Debian Release <debian-release@lists.debian.org>

Subject: Re: Bug#857986: [Pkg-javascript-devel] Bug#857986: npm: This pakcage is 3 years old? (consider removal)

Date: Mon, 22 May 2017 17:18:39 +0100

On 2017-05-22 15:19, Jérémy Lal wrote:
> 2017-05-22 16:10 GMT+02:00 Pirate Praveen <praveen@onenetbeyond.org>:
> 
>> On തിങ്കള്‍ 22 മെയ് 2017 06:41 വൈകു,
>> Jonas Smedegaard wrote:
>>> ...for the _initial_ packaging work.
>>> 
>>> We are package *maintainers*.
>> 
>> If you have not realized, we are discussing about maintaining an
>> existing package. I think you have also not realized the meaning of
>> team
>> maintained packages. The person who did the initial package need not
>> be
>> the maintainer of the packager for ever. When there is enough
>> interest
>> in the package, it will remain maintained else it gets removed.
> 
> I did the initial npm packaging. At that moment i was optimistic
> upstream wouldn't add or change dependencies too much. I was wrong,
> npm is constantly adding/removing modules through the months and
> years, requiring a lot of maintainer work to keep up.
> I think Jonas was pointing out that updating npm today won't actually
> solve any issue regarding npm maintenance. Some company should fund
> that work.
> 
> Jérémy

Can this discussion please not be on debian-release? Thanks.



-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits

Message #100 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <jonas@jones.dk>

To: 857986@bugs.debian.org

Cc: Debian Release <debian-release@lists.debian.org>

Subject: Re: Bug#857986: [Pkg-javascript-devel] Bug#857986: npm: This pakcage is 3 years old? (consider removal)

Date: Mon, 22 May 2017 19:14:50 +0200

[Message part 1 (text/plain, inline)]

Quoting Pirate Praveen (2017-05-22 16:10:32)
> On തിങ്കള്‍ 22 മെയ് 2017 06:41 വൈകു, Jonas Smedegaard wrote:
>> ...for the _initial_ packaging work.
>> 
>> We are package *maintainers*.
>
> If you have not realized, we are discussing about maintaining an 
> existing package. I think you have also not realized the meaning of 
> team maintained packages. The person who did the initial package need 
> not be the maintainer of the packager for ever. When there is enough 
> interest in the package, it will remain maintained else it gets 
> removed.

Exactly: Packages poorly _maintained_ should be removed.  E.g. npm!

My point in previous post was that focusing only on the workload for 
_initial_ packaging masks the actual real workload, which is being 
discussed here!


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

Message #105 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Thierry Vilmart <Thierry.Vilmart@tre.se>

To: "857986@bugs.debian.org" <857986@bugs.debian.org>, "debian-release@lists.debian.org" <debian-release@lists.debian.org>

Subject: request not to remove the package as people asked

Date: Wed, 14 Jun 2017 08:49:37 +0000

Jonas Smedegaard wrote:

> Exactly: Packages poorly _maintained_ should be removed.  E.g. npm!
> My point in previous post was that focusing only on the workload for 
> _initial_ packaging masks the actual real workload, which is being 
> discussed here!
> - Jonas

I agree. If it is too complicated to maintain nodejs and npm packages, they should be removed for security reasons. There could be a vulnerability in the nodejs web server.

Serious professionals will have to install tar balls from the official web pages.

Thierry Vilmart

Message #112 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Antonio Ospite <ao2@ao2.it>

To: 857986@bugs.debian.org

Subject: npm: package is 3 years old (consider removal?)

Date: Tue, 4 Jul 2017 12:44:09 +0200

Removing npm could bring some more attention at packaging yarn[1,2],
which seems to be better and more secure than npm (says a brief google
search...).

Ciao,
   Antonio

[1] https://yarnpkg.com/en/
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843021

-- 
Antonio Ospite
https://ao2.it
https://twitter.com/ao2it

A: Because it messes up the order in which people normally read text.
   See http://en.wikipedia.org/wiki/Posting_style
Q: Why is top-posting such a bad thing?

Message #117 received at 857986@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <kapouer@melix.org>

To: Antonio Ospite <ao2@ao2.it>, 857986@bugs.debian.org

Subject: Re: Bug#857986: npm: package is 3 years old (consider removal?)

Date: Tue, 4 Jul 2017 12:57:08 +0200

[Message part 1 (text/plain, inline)]

2017-07-04 12:44 GMT+02:00 Antonio Ospite <ao2@ao2.it>:

> Removing npm could bring some more attention at packaging yarn[1,2],
> which seems to be better and more secure than npm (says a brief google
> search...).
>
> Ciao,
>    Antonio
>
> [1] https://yarnpkg.com/en/
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843021


As you can see in the package status, npm is not in stable/testing suites:
https://tracker.debian.org/pkg/npm

Jérémy

[Message part 2 (text/html, inline)]

Message #138 received at 857986-close@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@debian.org>

To: 857986-close@bugs.debian.org

Subject: Bug#857986: fixed in npm 5.8.0+ds-1

Date: Wed, 18 Jul 2018 16:34:33 +0000

Source: npm
Source-Version: 5.8.0+ds-1

We believe that the bug you reported is fixed in the latest version of
npm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857986@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated npm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 18 Jul 2018 21:37:49 +0530
Source: npm
Binary: npm
Architecture: source all
Version: 5.8.0+ds-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
 npm        - package manager for Node.js
Closes: 794890 857986 863963 870460
Changes:
 npm (5.8.0+ds-1) experimental; urgency=medium
 .
   [ Diane Trout ]
   * New upstream release (Closes: #870460, #863963, #794890, #857986)
 .
   [ Jérémy Lal ]
   * Switch to dh
   * Section javascript
   * Priority optional
   * Drop Jonas from uploaders because of the move to dh
   * Update Homepage url
   * Update Vcs-Browser url
   * Fix make clean
   * Override make targets
   * Temp workaround for failure with prefix/npmrc
   * Build-Depends node-tacks, node-tap for running tests
   * Build-Depends node-require-inject for tests
   * Drop ruby-ronn from build-dependencies
   * Actually call make clean
   * NPMOPTS not needed because it does not have to install modules
   * Exclude request entirely
   * Exclude node-gyp entirely
   * Fix install and noop for auto_install
   * Use repacksuffix
   * make clean can fail
   * Disable tests for now
   * Fix syntax error in watch
   * repacksuffix makes uversionmangle useless
   * Add comment for tests
   * Ignore case to remove extra license files
   * watch file syntax again
   * npm need a recent node-tar
   * Call /usr/bin/node-gyp instead of second-guess where it is
 .
   [ Pirate Praveen ]
   * add node-fs-vacuum as dependency
   * remove all .npmignore files
   * drop unique-filename, already in the archive
   * add node-unique-filename as a dependency
   * add lintian overrides
   * Reorganize doc-base structure
Checksums-Sha1:
 d43bfae246eba00a42938e6753d0acb19a9c328d 3265 npm_5.8.0+ds-1.dsc
 f75f329669441d2e96abce8766bd70f7fc667cdb 3359538 npm_5.8.0+ds.orig.tar.gz
 e47abefc0c0869acd644d19402ffa93b443fe076 18276 npm_5.8.0+ds-1.debian.tar.xz
 989bfb5e659a51de98ac7b428bb56e4614f54d37 1250828 npm_5.8.0+ds-1_all.deb
 e81637d62c2dfcbb63c845a8479220d90770813b 12938 npm_5.8.0+ds-1_amd64.buildinfo
Checksums-Sha256:
 debd9be8735fb137c2d34ecd1e2750b030f7f50aa78af119ef02a277f0789cf7 3265 npm_5.8.0+ds-1.dsc
 8f37c13e547bcff7ed7b7c23b0efb6a1dfe645d9d1c6647320b806826c533ece 3359538 npm_5.8.0+ds.orig.tar.gz
 d879cfc5b7303486cd5bc2b40ea0a4a31dd3dd15c27c8f2a00445a5169802254 18276 npm_5.8.0+ds-1.debian.tar.xz
 de360b8eb2bce2129a716e42b563d378513f51e690f9104454e8cb32b432e65f 1250828 npm_5.8.0+ds-1_all.deb
 128d591f7b95b41aaf0f71a84d615706a175e2f2a32fe9302f1c978e7004e8e5 12938 npm_5.8.0+ds-1_amd64.buildinfo
Files:
 a2e6abcdfa0a3af3d94013a729963086 3265 javascript optional npm_5.8.0+ds-1.dsc
 6aeeec6fe4636f4bea99831d544aa36c 3359538 javascript optional npm_5.8.0+ds.orig.tar.gz
 ddc267da9161a7fd1137c9faee018cb0 18276 javascript optional npm_5.8.0+ds-1.debian.tar.xz
 9c25f59aac913b7abb1fd3ceeac9279e 1250828 javascript optional npm_5.8.0+ds-1_all.deb
 b4997d558abf13bd0954caa1c7cfdad4 12938 javascript optional npm_5.8.0+ds-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAltPakwACgkQzh+cZ0US
wip/JhAAqy/IYztkxuxIG0YPPKhuqXDPKYReOCXTq1ZDaJnH52GVjOSY7cqgVbp5
SnAJ4kYPzJCpxv6g+o4job+2fylNCQ61z90S/VksFELuq7rlNVRjjaocKtTNFVbk
r4GLKxraiI4p74AnWsLPY9r1zqXVF45HRqFIAWGpIRSfwG9nR8mylp2q4L6GflMm
I0VzREZAtomcZxbdGJ5md2z2wG1kdfmO7dl5PkE3MIZB1ifKBnCqmmsdpwR/Qi83
4jrlODrCYMOpQ+RwjImzRQT/JiPH6/PY7Xe2CmHMuS1z5clvcdtnGxsu/52leGah
p0d5gph1LMrwjNe3lmyLN2qk7ebjNfdUNgTVkr2s+C5MjESZDunRbNN22wfqD63V
zxwxNSY4Z9RUAojH2Cz6uXVS+F/rN64pwUt9WqeC/uFcFRiBM3woQzi5RWwFeIFR
Kqvyp94aX1USEoOgOsLtXUA6BW0zjRQN9uChuxNF3xRaHG/KLNhwtCbH8z1mke/8
dBwPGrBshZJ3KjYQJnY/TD12jDTK6KwXM6Y8N5sWxIAI9U5BGEmywZ2Uk74IobMV
TnUnQiJqMoOoImOUrPjXWV+n7P9ngEcfFQVTjiZG0ZZTmUwEBoI3VCiPDNETO6he
JKMb8tAnI6h2BCn4bFGOmt1uwaqD4MkUoN9jtZDrTMbDZv2o8W4=
=T9Lg
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.