New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3.0.1: please make comprehensive source archive #5046
Comments
Github source tar has never been 100% comprehensive, Grafana has always required "npm install" to build (like most web apps) |
This is a practical problem... I hope you could give it some attention or thoughts. Denial does not help you know, and problem does not magically disappear by closing bug without an action... This problem blocks upload of updated package. |
Bug?? No its not possible to build 2.6 without npm install. Grafana requires npm modules to build it has always, it is almost always a bad idea have node modules checked into source. You can build a source package but you need to build the front end using the grunt build system, the frontend build requires hundred of node modules |
But it is possible. That's how current Debian package is made -- without With 3.0.1 this is no longer possible because not all sources are included. I'm not suggesting to commit compilers or packaging tools, only sources that required to build Grafana. |
@onlyjob that will at most create an un-optimized development build of the frontend, not a true minified concatenated frontend that is has gone through all the asset optimization pipelines. |
Minification is easy to do (there are tools to choose from) but I believe minification is overrated (see #4006). Anyway minification is another (unrelated) issue... |
@onlyjob minification is only one minor part, the whole process is here: |
Maybe everyone that land here know it, but this issue is related to trust. I know this does not really help, because what we really need is to package the two dozens of npm librairies needed by grafana into Debian. But I thought it should be said. I a fan of grafana, and I'll be delighted to see it back and up to date in Debian. |
Please read https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5 |
3.0.1 introduced regression (somewhat) where source archive is not comprehensive any more because it does not contain all the sources needed to build Grafana.
On Debian, all packages are built from source on secure build servers without internet access so builds are reproducible and do not depend on availability of external resources.
It is not possible to download anything during build.
It would be great to commit all downloadable (by npm, grunt, etc.) 3rd party sources or generate comprehensive "release" source archives with all dependencies.
Thanks.
The text was updated successfully, but these errors were encountered: