<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 11/13/2017 08:36 PM, Dominik Ruf
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAAfZa5n9QE6-XfJXytM2NGbkyKxinLRQRvbG-YLgJ3Yh7OMCVA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div>I don't like the npm dependency for pip installations
either.</div>
<div>I think it'd be better to include the bootstrap source
files and minified files in the manifest.</div>
<div>That way, one can use any less (and minification) tool
(even offline) and we comply to the GPL.</div>
<div>This doesn't mean these source file should be in our
mercurial repository.</div>
<div>(I strongly believe they should not.)</div>
<div>We (the developers) should add scripts/tools to the
repository that make it easy for us</div>
<div>to add and update 3rd-party less, css and js libraries.</div>
<div>In my view npm is the easiest tool for this.</div>
</div>
</div>
</blockquote>
<br>
Dominik, that sounds great. Especially since you have been doing
most of the recent front-end work and is the biggest stakeholder. I
didn't want to put more load on you and try to make you solve more
problems.<br>
<br>
<br>
So, we envision a plan that is something like this:<br>
<br>
We ship compiled front-end code ... and take care to make sure that
we make all corresponding source available so we comply with GPL.<br>
<br>
We pin/lock our preferred dependency versions, but do not "vendor"
them in our source repository. Other dependency versions than the
preferred ones might work too. The preferred versions of our
dependencies will be used and shipped with our releases.<br>
<br>
Making a release (and uploading to pypi will require npm).
Installing Kallithea from pypi or other official releases will not
require npm or sources.<br>
<br>
The release build process is thus the following steps:<br>
1. download source packages for all dependencies using npm<br>
2. running offline, only using these source packages, compile the
front-end code<br>
3. ship the compiled front-end code in the python package, and also
ship all the dependency sources - details TBD<br>
<br>
Development will require npm and compiling from source, where the
source probably either is from a previous release or direct npm
downloads.<br>
<br>
The biggest open question I see is about how we distribute the
corresponding source. I see 3 safe options:<br>
1. Include all corresponding source in the pypi package together
with the compiled front-end code (which do that people don't really
need the source unless they redistribute, but make compliance very
explicit ...). How much bigger twill that make the package?<br>
2. Publish all the corresponding source in a separate pypi package
so it is obvious that when we are using pypi to "redistribute" our
package, pypi also offer the corresponding source.<br>
3. Publish the source on kallithea-scm.org, which is our main
distribution point and is the place we generally provide source
from.<br>
<br>
It might be annoying that we require npm for the development,
download, and building releases. If someone wants to, they can
perhaps change the details of this and provide Python based tooling
without changing this overall concept.<br>
<br>
<br>
Do you agree on this plan? How can we make it happen?<br>
<br>
/Mads<br>
</body>
</html>