The following issue related to npm package affects only a subset of mozilla developers: only the patch contributors who develop on their PCs that run Debian GNU/Linux.
|mach bootstrap|
to set up the development tools and niceties fails now under Debian GNU/Linux.
This is because "npm" package is no longer in the standard package archive :-(
Could you please report a bug?
Mark added npm as a dependency on Debian [1], as I run Debian unstable, I didn't see it wasn't available for stretch or testing.
Sorry about that.
I also reported a bug on Debian side [2] so that it is clear that npm needs love in Debian.
Cheers,
Sylvestre
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1424921
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888272
Speaking as a maintainer of the Firefox build system, we try to be conservative about the set of dependencies required to build Firefox from source. We recognize that every required dependency is a potential source of failure and complexity. Dependencies can create complications for packagers. From a build system perspective, it's in our best interest to minimize the dependencies required to build Firefox.Our desire to keep things simple can be at odds with the wishes of Firefox developers who wish to leverage new and exciting tools and technologies. In short, the policy of minimizing build dependencies can externalize costs onto overall Firefox development by hindering people from using better tools. This adversely affects the development velocity of Firefox and can cause product quality to suffer.For a few years now, various pockets of Firefox development have wanted to use Node.js as part of the development workflow. I wouldn't say they directly want to use Node.js: they want to use the large ecosystem of tools built around Node.js. But that's splitting hairs. Our build system policy has been that leveraging Node.js and its ecosystem for supplemental workflows is fine, but shipping a build dependency on Node.js is not. Many Firefox developers are now using Node.js in their day-to-day workflow for things like running ESLint. We're using Node.js in CI. But we're not forcing people to have Node.js installed to build Firefox.
Various groups have routed around the limitation that Node.js can't be required to build Firefox. There are now Firefox features that do require Node.js to build. However, the output from the Node.js tools is checked into the Firefox source repository. So from the perspective of the Firefox build system, Node.js doesn't exist and therefore isn't a build dependency.
The status quo is not ideal. The more people I speak with, the more apparent it is that our current policy of not allowing Node.js tooling in the build system is causing more problems than it is preventing. Speaking as the build system module owner and someone who cares about developer workflows, tooling, and developer productivity, I don't think the current policy is good for Mozilla.I'd like to start a discussion about requiring Node.js to build Firefox.What do I mean by "require Node.js?" Let's assume I mean having a usable Node.js executable on the host system to be used during a Firefox build.What about npm or a package manager? I would strongly prefer to limit the required dependency to Node.js itself. While the Firefox build system would depend on 3rd party packages and tools (such as Babel), I'm pretty insistent (as a build system maintainer) that these dependencies be vendored into the Firefox source repository so as to not incur a run-time dependency on a packaging service. I've seen the chaos that "left-pad" caused. I don't fully trust the security model of JavaScript package distribution. I don't think we can risk the ability to build Firefox or the integrity of the Firefox product by the availability and integrity of a 3rd party packaging service. That may sound like a harsh thing to say. But it's the posture we've applied elsewhere (such as to Python packages and PyPI). So, this means that all JavaScript executed by Node.js as part of the build would either be provided by Node.js itself or the Firefox source repository. If we needed to use a package manager as part of the build, that package manager could be vendored in the Firefox repository along with other JavaScript libraries (not unlike how we currently vendor Python's pip package manager).
A few people at Mozilla have poked at this problem already. We have a general sense of where some pain points for us will be. We know that getting modern versions of Node.js installed on various distributions requires using 3rd party package repositories. We know that Windows support could be painful. We know that installing common packages can result of dozens if not hundreds of dependencies being added. We know this could lead to us having to install thousands of files as part of the Firefox build - an overhead I'm not keen on seeing. We know all of this can add up to a significant amount of overhead to support. (Yet it still feels like a lesser problem than having people work around not being able to use Node.js directly.)What we don't generally know is the impact requiring Node.js would have on downstream packagers. Our adoption of Rust last year was a long and sometimes painful process. I have a feeling that requiring Node.js would be a similar experience. But like Rust, I feel that adopting Node.js is in the best long-term interest for Firefox development velocity and product quality. I'm reluctant to cause more hardship by introducing a new build dependency. But it's very difficult to keep saying we can't use Node.js in the Firefox build system. I wish I could say "we'll build SpiderMonkey and use that instead." Unfortunately, many Node.js tools don't work with SpiderMonkey, so that's not an option. Plus there are difficulties with cross-compilation. As sad as it makes me to say it, SpiderMonkey is not an option: Node.js is the only viable option.
If we require Node.js to build Firefox, what are the requirements, desires, and hardships of downstream packagers and consumers of the Firefox build system? Keep in mind that mozilla-central right now is Firefox 60. That will become ESR 60 in May.
Hi,
(wondering if this goes through. Somehow I miss another answer sent to
this list earlier.)
Am 24.01.2018 um 10:26 schrieb Landry Breuil:
>> Quick follow-up. First to add mozilla-linux-taskforce. Second to note that
>> we almost certainly wouldn't make a change before Firefox 61. That would
>> give everyone only caring about ESR an extra ~1 year to deal with fallout.
>
> The adoption of rust has been painful, i guess the requirement of npm
> will be even more painful, and if i'd be given the choice, i'd strongly
> raise my voice against it. Just recently it's been made harder for
> packagers to work on betas by not providing source tarballs anymore but
> only a link to hg that we get to hammer (#1432591) and now this ?
>
> But since the decision has already been made, i guess we can't do
> anything about it, but adapt or die ?
> As long as the required version isnt too recent (we have 6.12.3 in
> OpenBSD right now, and i have no idea what this means in terms of nodejs
> versions) and *you stick to vendoring the nodejs modules HELL* (build
> systems are forbidden to download stuff themselves here), i guess we'll
> swallow the bitter pill.
> Or give up and go do something else, in the greener pastures outside of
> this crazy javascript bloat ecosystem.
I can only mainly agree to what Landry wrote.
With (open)SUSE we have basically the same situation.
Our buildsystem is not allowed to download any resources. Everything
must be available in the source tree or in the distribution we build for.
As node.js and modules is quite a moving target there is a high risk
that we end up being unable to build Firefox+1 leaving users at risk.
While there is ESR this helps indeed because this is what we nowadays
(are forced to) ship because mainly of rust since we simply cannot
update rust in a released distribution every around 6 weeks.
But "dealing with the fallout" by having a year time does not help. This
is an ongoing burden which cannot be solved but would need to be
addressed always when the node.js requirement is increased basically.
For our rolling variant Tumbleweed this is typically not much of an
issue because also node.js is rolling there and can be updated via the
normal process if required. Tumbleweed is also the only distribution we
nowadays can ship regular release on (see above).
That context explained I think our downstream requirements are summarized:
- all node.js modules need to be shipped via the mozilla source tree to
be on the safe side (no download possible)
- problem is with node.js itself and the module compatibility. I have no
experience with that stuff
- try to be conservative and also keep node.js requirements in ESR
cycles unchanged
Just to give an impression which node.js versions we currently have in
supported releases:
Stable distributions:
node.js 4.8.7 and 6.11.1 (choice)
Rolling distribution:
node.js 6.12.3 and 8.9.4
Obviously those are changing over time.
While we are at it something a bit offtopic:
Currently we are scared about python 2.7 requirements since the next
stable version is in the works which will last for at least 3-5 years
and our goal is to get rid of python 2.7 in that release because it will
(officially) run out of maintenance before EOL.
Are there any plans about that?