Page MenuHomePhabricator
Create Task
Maniphest T257061

Evaluate the workflows and workload of managing a Node package repository
Closed, DeclinedPublic
Actions

Description

This discussion is descoped from T199004: RFC: Add a frontend build step to skins/extensions to our deploy process
Sequence:
Previous: T257072: Determine Node package auditing workflows
Next step: T257068: Draft: RFC: Evaluate alternative Node package managers for improved package security

To improve security of NPM packages distributed to CI nodes and developers a Wikimedia managed package repository is considered.
This ticket is for discussing the workflows involved in managing such package repository.

TBD: Figure out what project tags apply. Help appreciated.

Related Objects
Search...

Event Timeline

Demian created this task.Jul 3 2020, 3:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 3 2020, 3:42 PM
Demian added a comment.Jul 3 2020, 3:43 PM
In T199004#6275631, @daniel wrote:

As to maintaining a git repo with the fully expanded dependency tree, as @Demian describes: we are doing that for composer dependencies in the mediawiki-vendor repository. It works, but the process of keeping that in sync with mediawiki core is unfortunately cumbersome. The RFC from 2014 about this can be found at https://www.mediawiki.org/wiki/Requests_for_comment/Composer_managed_libraries_for_use_on_WMF_cluster.

@daniel A few questions, if interested:

  1. What makes the process cumbersome?
  2. Could that part be automated?
  3. Would it be more streamlined if the package archives were added to the repo without unpacking (less files), as in the Yarn2 and Pnpm workflows?
  4. Would any other package repository solution be less cumbersome, for ex. using xsync directly (just an idea, wouldn't suggest that)?
Demian mentioned this in T199004: RFC: Add a frontend build step to skins/extensions to our deploy process.Jul 3 2020, 3:44 PM
Aklapper added a project: User-Demian.Jul 3 2020, 8:15 PM

@Demian: Please set project tags - thanks.

Demian updated the task description. (Show Details)Jul 3 2020, 10:18 PM
Demian added a project: Release-Engineering-Team (Development services).Jul 3 2020, 10:22 PM
Demian mentioned this in T257068: Draft: RFC: Evaluate alternative Node package managers for improved package security.Jul 3 2020, 10:31 PM
Demian mentioned this in T257072: Determine Node package auditing workflows.Jul 3 2020, 10:38 PM
Demian updated the task description. (Show Details)
Demian edited projects, added Release-Engineering-Team (CI & Testing services); removed Release-Engineering-Team (Development services).
Demian moved this task from Incoming to Resting on the User-Demian board.Jul 3 2020, 11:01 PM
Demian moved this task from Resting to Tracking on the User-Demian board.Jul 5 2020, 5:37 PM
Demian updated the task description. (Show Details)Jul 7 2020, 1:47 PM
thcipriani edited projects, added Release-Engineering-Team (thcipriani-workboard-fiddling); removed Release-Engineering-Team (CI & Testing services).Apr 20 2021, 1:03 AM
thcipriani moved this task from thcipriani-workboard-fiddling to Seen (ARCHIVE) on the Release-Engineering-Team board.Apr 20 2021, 1:05 AM
thcipriani edited projects, added Release-Engineering-Team; removed Release-Engineering-Team (thcipriani-workboard-fiddling).
thcipriani edited projects, added Release-Engineering-Team (Seen); removed Release-Engineering-Team.Apr 20 2021, 3:23 PM
hashar closed this task as Declined.Jun 8 2021, 3:13 PM
hashar removed a project: Release-Engineering-Team (Seen).
hashar subscribed.

There is apparently nothing for release engineering to do right now and the RFC is apparently stall. If a dedicated package repository is needed as part of a future build step, I guess that will surface again when the RFC is being discussed again. Meanwhile no much point in keeping the task open.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits