<rekado>morally speaking it’s not source code; but practically speaking: I’ll take it.
<PurpleSym>Hm, I wouldn’t ask whether it’s minified or not. In the end it does not matter because both deny the right to modify. Instead I would ask whether the source can be trusted. So can we trust unpkg.com? Is there any upstream-provided build?
<PurpleSym>There’s no pre-built `bokeh.js` on npmjs.com for this version though.
<PurpleSym>Hashes for bokeh.js are the same from unpkg.com and pypi, so it should be fine to use either.
<rekado>when the “build” directory on unpkg.com is really the output of some npm command, I wonder if we should just run this by ourselves in a well-defined Guix environment and store the resulting concatenated js files.
<rekado>I mentioned unpkg.com not for bokehjs in particular but for the general problem of missing source code.
<rekado>I first came across unpkg when I looked for unminified source code of vis-network.js, which is needed for r-diagrammer.
<PurpleSym>We could go one step further and use the `npm-binary` importer to create “packages” for all dependencies too.
<zimoun>rekado: https://blog.replit.com/nix-vs-docker «Reproducible Environment with Docker» where ’FROM node:12-alpine’ ’RUN apk add --no-cache python g++ make’ ’RUN yarn install --production’. Ahah! Author of the post is probably missing their own sentence: «Reproducible environments are useful to ensure all developers on a project have the exact same set
<rekado>I see that ’guix graph’ could be impressive, but personally I don’t see much value in treating these environments as a collection of packages. I see the JS part as a complex collection of source files that need to be built together.
<rekado>zimoun: if they all live in the moment and run the command at the same time there’s a good chance they’ll get the same tools.
<zimoun>Pre-last paragraph explains, it is indeed not really reproducible and breakage are around. ;-)
<zimoun>rekado, BTW thanks for the HN thread. Some comments are interesting on how Nix is perceived. :-)