I'm doing some work for a fairly security conscious company, rearchitecting
their product. In particular, I'm replacing huge amounts of Java code with
tiny amounts of Node code :-)
What's unusual about it is that the product - when I'm done with it, anyway
- *is* a cloud which is deployed on-site for customers in a secure
environment - basically peer-networked Linux machines, usually VMs.
Usually we will control the VM, but sometimes the customer will be
dictating that; and customer machines are frequently not connected to the
In the process I'm replacing an old, monolithic GUI-based installer. For
the development team, I need to be able to produce daily builds of software
which can be installed into a target Linux VM; ideally this should be
completely automated so that there will just be a "daily virtual appliance"
- but installation packages (rpm, dep, Gentoo ebuild) should be built as
I'm a big fan of doing dependency management right - package *your*
software, declare dependencies on what you need - and that's a shift I'm
helping this company make.
I'm also not a huge fan of checking third-party library code into version
control - it's easy to add stuff and hard to figure out when you're lugging
something around that is not used. It also breaks modularization - I get
why checking node_modules in is the simplest way to guarantee you're
running against what you think you're running against. But I'm trying to
change a culture where any change means spinning a new release of
everything - I'd much rather be able to upgrade a library by changing one
line of a dependency declaration.
npm is similar to module systems I'm used to (NetBeans, plus various Linux
package formats), with the principal difference being the notion of
installing something to be application-local or user-local. I've set up an
internal mirror of the npm registry, which internal code can be pushed to -
that part's fairly simple. But while that works for development, it won't
fly where these things are going to be deployed.
I figure I'm not the first person to run into this.issue - what do you do
if you want to take a Node app that has some dependencies, and package that
into an OS-level package such as an RPM?
The main impedance-mismatch is that NPM does more than global OS-level
installs (I briefly considered writing a couchapp that exposes the whole
NPM repository as a Gentoo portage overlay - from which you can build rpms
and debian packages basically for free).
Anybody already solved this problem? Or am I looking at the issue the
wrong way? In the end what I need to solve is:
- Portable installation packages for Linux (and ideally Solaris / SmartOS)
for individual libraries available via npm
- A way to build these packages with little or no manual steps - i.e. a
continuous build can notice a new dependency in a node project and
automatically start building packages for it
Thanks for any suggestions,