[yocto] [Openembedded-architecture] Proposal: dealing with language-specific build tools/dependency management tools

[Piotr Figiel]

Hi Alexander,
 first of all thanks for the efforts. Some comments to add to the mix:

2017-03-10 16:10 GMT+01:00 Alexander Kanavin
<alexander.kanavin at linux.intel.com>:

> The lockdown files would list the versions of the dependencies (if it is
> possible, which is not always true), so you can inspect those to see if
> something is vulnerable. In node.js or Go worlds the libraries are not
> reused between apps anyway, so it really doesn't matter if they're packaged
> as separate recipes or not (I didn't have time to check Rust, but as it's
> also using lockdown files, I believe the libraries are not reused either).

I don't know if you've heard of the lately popular idea of
"microservices" - but basically it comes down to having multiple
specialized node applications installed. In practice those
applications often share the dependencies, so it would totally make
sense to use the packages approach so that the dependencies don't need
to be installed in multiple copies. Perhaps maybe not with recipe per
npm package, but maybe with some more advanced bitbake magic or a
post-rootfs hook to run deduplication.

What works most of the time is using shrinkwrap to freeze the
dependencies to some local npm mirror, so the concept of lockdown
would make sense. Just a word of warning that it sometimes doesn't
work that well - some of the npm packages (in the dependencies chain)
may have hard-coded URI's to e.g. gitlab and shrinkwrap will keep
those references instead of npm mirror. Also npm itself doesn't really
check for consistency it only checks for versions, what can happen is
that the contents may change but the version string may not. In terms
of node yarn [1] seems to address some of the npm shortcomings but I'm
not aware of any progress in regards of yocto integration.

[1] https://yarnpkg.com/

Best regards, Piotr.