[v2] package/forge: new package

A native implementation of TLS (and various other cryptographic tools)
in JavaScript.

Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
---
Changes v1 -> v2:
 - build with npm (suggested by Yann E. Morin)
---
 DEVELOPERS               |  1 +
 package/Config.in        |  1 +
 package/forge/Config.in  | 10 ++++++++++
 package/forge/forge.hash |  3 +++
 package/forge/forge.mk   | 28 ++++++++++++++++++++++++++++
 5 files changed, 43 insertions(+)
 create mode 100644 package/forge/Config.in
 create mode 100644 package/forge/forge.hash
 create mode 100644 package/forge/forge.mk

Johan, All,

On 2022-08-26 15:08 +0200, Johan Oudinet spake thusly:
> A native implementation of TLS (and various other cryptographic tools)
> in JavaScript.
> 
> Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
[--SNIP--]
> diff --git a/package/forge/forge.mk b/package/forge/forge.mk
> new file mode 100644
> index 0000000000..c26f550c83
> --- /dev/null
> +++ b/package/forge/forge.mk
> @@ -0,0 +1,28 @@
> +################################################################################
> +#
> +# forge
> +#
> +################################################################################
> +
> +FORGE_VERSION = 1.3.1
> +FORGE_SITE = $(call github,digitalbazaar,forge,v$(FORGE_VERSION))
> +FORGE_LICENSE = BSD-3-Clause, GPL-2.0
> +FORGE_LICENSE_FILES = LICENSE
> +
> +FORGE_DEPENDENCIES = host-nodejs
> +
> +define FORGE_BUILD_CMDS
> +	cd $(@D) && $(NPM) install && $(NPM) run build

So we have to install before we can build? I would have expected the
other way around... I have (almost) zero experience with npm, so I am
not sure about the semantics of 'install' vs. 'build'.

Also, where does 'install' installs things?

Regards,
Yann E. MORIN.

> +endef
> +
> +# Install .min.js as .js
> +define FORGE_INSTALL_TARGET_CMDS
> +	$(INSTALL) -m 644 -D $(@D)/dist/forge.all.min.js \
> +		$(TARGET_DIR)/var/www/forge.all.js
> +	$(INSTALL) -m 644 -D $(@D)/dist/forge.min.js \
> +		$(TARGET_DIR)/var/www/forge.js
> +	$(INSTALL) -m 644 -D $(@D)/dist/prime.worker.min.js \
> +		$(TARGET_DIR)/var/www/prime.worker.js
> +endef
> +
> +$(eval $(generic-package))
> -- 
> 2.34.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

Hello,

On Sat, 27 Aug 2022 10:47:32 +0200
"Yann E. MORIN" <yann.morin.1998@free.fr> wrote:

> > +FORGE_VERSION = 1.3.1
> > +FORGE_SITE = $(call github,digitalbazaar,forge,v$(FORGE_VERSION))
> > +FORGE_LICENSE = BSD-3-Clause, GPL-2.0
> > +FORGE_LICENSE_FILES = LICENSE
> > +
> > +FORGE_DEPENDENCIES = host-nodejs
> > +
> > +define FORGE_BUILD_CMDS
> > +	cd $(@D) && $(NPM) install && $(NPM) run build  
> 
> So we have to install before we can build? I would have expected the
> other way around... I have (almost) zero experience with npm, so I am
> not sure about the semantics of 'install' vs. 'build'.
> 
> Also, where does 'install' installs things?

And side questions are:

 - Does this $(NPM) install step downloads stuff? If it does, then it's
   wrong, because it works around Buildroot's download infrastructure.

 - Does this $(NPM) install step installs extra stuff? If it does, are
   these extra things accounted for from a legal information
   perspective?

Yeah, I know, annoying questions :-)

Thanks!

Thomas

Thomas, All,

On 2022-08-28 10:06 +0200, Thomas Petazzoni spake thusly:
> On Sat, 27 Aug 2022 10:47:32 +0200
> "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
[--SNIP--]
> > > +define FORGE_BUILD_CMDS
> > > +	cd $(@D) && $(NPM) install && $(NPM) run build  
[--SNIP--]
> And side questions are:
>  - Does this $(NPM) install step downloads stuff? If it does, then it's
>    wrong, because it works around Buildroot's download infrastructure.

Yes, as far as I understand, that's where the vendoring step happens.
Unless we have a download post-process step like we have for go and
cargo, there is not much we can do about that. See also my further reply
on the previous iteration [0].

Also that install-then-build sequence seems to be canon, see [1].

But before we introduce either a download prost-process and/or an
npm-package infrastructure, it would be better [2] to have more than
two data-points.

[0] https://lore.kernel.org/buildroot/20220826210712.GE37358@scaer/
[1] https://lore.kernel.org/buildroot/20220827093603.GT37358@scaer/
[2] I said "better", not "nice", on purpose. ;-]

>  - Does this $(NPM) install step installs extra stuff? If it does, are
>    these extra things accounted for from a legal information
>    perspective?

Yeah, it does install the vendored stuff. And of course it is not
accounted for, what did you hope? ;-)

So, yes, FORGE_LICENSE should include something like:

    , vendored dependencies licenses probably not listed

> Yeah, I know, annoying questions :-)

Hehe... :-]

Regards,
Yann E. MORIN.

Yann, Thomas, All,

On Sun, Aug 28, 2022 at 10:35 AM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
> On 2022-08-28 10:06 +0200, Thomas Petazzoni spake thusly:
> > On Sat, 27 Aug 2022 10:47:32 +0200
> > "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
> [--SNIP--]
> > > > +define FORGE_BUILD_CMDS
> > > > + cd $(@D) && $(NPM) install && $(NPM) run build
> [--SNIP--]
> > And side questions are:
> >  - Does this $(NPM) install step downloads stuff? If it does, then it's
> >    wrong, because it works around Buildroot's download infrastructure.
>
> Yes, as far as I understand, that's where the vendoring step happens.
> Unless we have a download post-process step like we have for go and
> cargo, there is not much we can do about that. See also my further reply
> on the previous iteration [0].
>
> Also that install-then-build sequence seems to be canon, see [1].
>
> But before we introduce either a download prost-process and/or an
> npm-package infrastructure, it would be better [2] to have more than
> two data-points.
>
> [0] https://lore.kernel.org/buildroot/20220826210712.GE37358@scaer/
> [1] https://lore.kernel.org/buildroot/20220827093603.GT37358@scaer/
> [2] I said "better", not "nice", on purpose. ;-]

This is exactly that.

> >  - Does this $(NPM) install step installs extra stuff? If it does, are
> >    these extra things accounted for from a legal information
> >    perspective?
>
> Yeah, it does install the vendored stuff. And of course it is not
> accounted for, what did you hope? ;-)
>
> So, yes, FORGE_LICENSE should include something like:
>
>     , vendored dependencies licenses probably not listed
>

Ok, do I propose a v3 with the suggested sentence to FORGE_LICENSE or
should I do something else?

Hello Johan,

On Fri, 26 Aug 2022 15:08:43 +0200
Johan Oudinet <johan.oudinet@gmail.com> wrote:

> A native implementation of TLS (and various other cryptographic tools)
> in JavaScript.
> 
> Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
> ---
> Changes v1 -> v2:
>  - build with npm (suggested by Yann E. Morin)
> ---
>  DEVELOPERS               |  1 +
>  package/Config.in        |  1 +
>  package/forge/Config.in  | 10 ++++++++++
>  package/forge/forge.hash |  3 +++
>  package/forge/forge.mk   | 28 ++++++++++++++++++++++++++++
>  5 files changed, 43 insertions(+)
>  create mode 100644 package/forge/Config.in
>  create mode 100644 package/forge/forge.hash
>  create mode 100644 package/forge/forge.mk

I have applied, but after changing the patch to do like we did for
chartjs: use pre-compiled JS files. Indeed, having a dependency on
host-nodejs is really heavy, and the fact that we don't have vendoring
support yet makes using npm during the build not very nice. So for the
time being, we'll use pre-generated JS files.

See:

  https://gitlab.com/buildroot.org/buildroot/-/commit/d1938358ec119869a63af7622391f6a8de1fbb16

Thanks a lot!

Thomas