Careful with the (-)g switch
So Wolfram was arguing with the emberjs about please not suggesting to use the -g installed, globally accessible
A pull request, especially one that was denied, is not a good place for a discussion. But outside of that, I just wanted to share my thoughts on using the -g switch
sudo -g
Really I wanna give a repository with arbitrary code access via sudo to my system? Isn’t it more safe to have all in user space? How many boxes are there that are used with multiple user accounts? do all of them need the packages. Not sure what should have changed in the *nix userspace to allow all of this everywhere in my system. Especially for tools like jshint or any other code style checker. You all need just access to my project and thus no millimeter more
Multiple versions
Its totally awesome that SOME of the frameworks come with switches and helpers to find the right version, but in all honesty: If something is used by the software or the package: reference it correctly in package.json and be done.
And then there is the thing of the 2 year old repo, maybe that switch or helper was not there, so old projects are still f**ed. You check it out, npm install and BÄM surprise: xy superchecker installed globally, used in 2012 in v0.0.2 does not work with 4.2. Bummer.
One Button install, One Button Test
In order to make testing and installs easy, do everything in one step. A rule of survival for CI btw. A extra step is needed if I install my validation dependency in a pre or post install (given a docker image). For my software, really a NPM install does most of the times.
But, but ease of use and console commands
Don’t get me wrong. I have noting against having the console commands installed. Maybe Wolframs PR is a little over board in this regard. A little, very visible warning would be in order. I mean what could get possibly wrong by giving people another way to install stuff out of user-space with sudo and the chance to use things like “post install”?
All that -g switching and console commands is cool for development on my homeboy. Just my local box, all my porn, all my mail, home banking etc. Other thing is with customer servers. Serious business. Any sudo MUST be considered, understood and then reviewed. For any server I better include the code in the space of a well crafted user that passes on the rights of the process that runs where ever it needs to be. I better have everything on board at this point.
Remove all the -g
Have you ever checked the directory? I do node for a time and stuff piled up. Stayed there as versions changed and at some point started to check out what I installed over time with npm -g ls. A lot. Again, was there a reason for being in the sudoers list in the first place? Yes, I am a person to be trusted. So I kill the stuff from time to time, install what I need for the projects I am working on and go on.
Sadly a npm install mymod -g — save does not exist. So its to commands (for me RTFM lazy person).
Docs?
package.json is a documentation. if you do not include a module, e.g. jscs, you have to write docs and end up with 2 places to document “how to check xy for js code style issues” and “How to run tests” (maybe because you testing framework is not installed with -g)
And now?
This is not really ember refusing to accept the PR, but more or less all of us are using kinda bad practices when it comes to *nixy systems, node and globally installed modules. I might have missed a large proportion of mac/unix security, or not learned important parts in the first place, but one regular thing in my projects is installing everything locally and make it work this way (pro tipp: a regular bin directory is awesome — executing one of five .js ending file in your awesome modules root dir is not). For me there is, at most times, just no effort in it.
