SpiderNode for Firefox chrome code

Axel Hecht l10n at mozilla.com
Wed Dec 14 21:02:49 UTC 2016


Am 14/12/16 um 01:24 schrieb Myk Melez:
> * It enables us to reuse modules from the Node ecosystem.
>
> Node would make it straightforward to integrate third-party modules 
> from NPM. We can port some of them today, but many depend on core Node 
> modules (or their own native modules), which makes porting expensive 
> and often unfeasible. Whereas Node would make it possible to vendor 
> modules using NPM's standard dependency management tools.
>
> Of course we'd still need to ensure that the modules (and their 
> dependencies) are high-quality and have compatible licenses. Rust has 
> the same problem with third-party crates. Still, that's a good problem 
> to have, if it means we can sometimes borrow instead of build new 
> functionality.

Others have raised concerns I share, but I wanted to add to this one.

Vendoring in 3rd party modules has two hard challenges, I think.

For one, many node modules are in permissive licenses, which is great on 
one side. But there's also the lack of protection against software 
patents that'd we'd expose ourselves to. Y'know, the reason our 
licensing guidelines say APL instead of something like MIT or BSD.

The other is that we'd effectively vendor code into our bug bounty 
program. We should do that very open-eyed, and make sure that we have 
the right relationship with the upstream module owner for that to work 
out for us.

Axel




More information about the firefox-dev mailing list