New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Download cmake binary #276
Comments
I think downloading something during "npm install" execution, as well as during cmake execution, is a terrible idea. Not only is this obscure and buggy, but it also makes it difficult for caching and offline mode in the package manager to work properly. In particular, I have a project where the audit process is very important, and the internet connection during the build is prohibited for a good reason (the version and hashes of everything used during the build process must be exactly what was audited). Dealing with all these poorly designed npm packages that download its own dependencies with custom mechanics instead of relying on standard package manager mechanisms has been particularly an auditing processes nightmare. |
That is an case I hadn't thought of. cmake-js is already downloading (and caching) the nodejs headers that are needed to be able to compile the addons, and this is really an extension of that. The other option would be to bundle cmake inside the npm package, but that will be vastly unpopular with many other users, as the size of the npm package would probably hit 100mb easily once you include all the common platforms. And as cmake-js is supposed to be installed as a production dependency, that will affect anyone pulling in a library which uses cmake-js. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
I get what you say, but this has to stop somewhere. What about the compilers. Do you expect this to download GNU GCC, or CLang etc to make the experience seamless? Downloading NodeJS/Electron headers is also a terrible idea. Just to exemplify, recently the process was broken due to changing the download path of the headers for Electron. Which does not make sense to me that to be able to re-generate a system, you are forced to wait for a new version and then increase the version of the dependencies. This is messy, obscure, fragile and insecure. There are no integrity and authenticity validation over the download source and this is happening in many NPM packages. You as a client have little or no control over this, and it is becoming extremely complicated to have control of the construction process of a simple application. This is extremely worrying. I understand your frustration. It's real. node-gyp is just extremely basic and terrible in practice for more than very basic native modules. cmake-js, NodeJS, Electron and the NPM ecosystem in general is far from one could be expecting too in terms of making things seamless in a standardized way. There are just too many hacks around everything. |
Well no, I am only aiming for more seamless than today. Ideally I would like for it to be possible to use cmake-js anywhere node-gyp works without needing to install anything more. Honestly I am unsure if I will do this task, I am still unsure if it is worth the complexity. If libraries were to provide a sufficient range of prebuilds, then in theory it wouldnt be necessary to compile locally and would negate the need for this.
You will have to complain to nodejs about that one. They are the ones who don't ship the headers with the windows binaries (but do for every other os). I havent checked what electron do, but I assume it is the same. Yes the electron download path changing is annoying and a good example of the flaws of this, but I dont see a practical solution here to avoid downloading the headers. Asking the user to manually download the headers to the right place is going to confuse so many first-time/casual contributors to open source projects using these libraries. And putting them in an npm package will make it way too large. That said, in 7.0 this will be a lot better for projects using node-api. Thanks to https://github.com/nodejs/node-api-headers, there is a npm package containing everything we need (except msvc, but we can generate the missing piece). We dont need such a specific version of them due to their stability promise. So in 7.0, targetting node-api will not download anything on any platform. The exception is if you need to use extra headers which break the node-api stability guarantee, but that isnt supported in 7.0 yet.
Yeah, that is a good point. But it will be very possible to verify the checksum/signature of the binary before allowing it to be executed. And again this cmake downloading will be entirely avoidable. I havent looked in too much depth at the header downloading, but I think it does verify the checksum, I dont know if it is possible to check a signature. Equally, that signature checking is only going to work until the key expires, and cause the pain of the mirror path changing again. If you are using cmake-js in an application rather than a library, then I think it is then also reasonable to expect contributors to have cmake installed. But if your application is using a library which uses cmake-js, then I think it shouldnt be necessary. Requiring cmake can likely be avoided 99% of the time by providing a complete set of prebuilds. But if the library you are using is missing a prebuild then that can be really tedious for your application. Alternatively, I could make the getting started guide for the application say to install cmake, but I firstly need to know that a dependency is using cmake-js (if it has some prebuilds, I may be unaware). And do I really want to make every contributor install cmake just in case there isnt a prebuild for them? What platforms should be made to install it? Again, this is all about easing the pain of using libraries which use cmake-js, and trying to make it as easy for users as projects based on node-gyp. |
Most of the time, we already rely on access to the internet in order to download the headers needed to compile against
We could take this further, and say that if cmake was not found on the path, or if the version found is too old, then we could attempt to download it before failing the build.
That would reduce the complexity for users of libraries built with this, as there would be less chance of their users having to install cmake themselves.
The text was updated successfully, but these errors were encountered: