From e16880752907a7b21fdbb7f10c41c65ca3534b62 Mon Sep 17 00:00:00 2001 From: Geoffrey Booth Date: Wed, 6 Mar 2024 14:12:01 -0800 Subject: [PATCH 1/4] doc: add policy for executables --- doc/contributing/distribution.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/contributing/distribution.md b/doc/contributing/distribution.md index 4727c03b6924e5..41b58dd074dd2d 100644 --- a/doc/contributing/distribution.md +++ b/doc/contributing/distribution.md @@ -25,3 +25,11 @@ only as a semver-major change, unless the related feature or project is documented as experimental. In addition, Node.js includes external projects as internal dependencies. These may be replaced or removed at any time, provided that doing so is not a breaking change. + +## Placeholder executables + +Installing Node.js will not create "placeholder" executables: commands that +refer to software that is not distributed with Node.js, but instead would be +downloaded when the command is run. For example, Node.js will not create a +`yarn` placeholder executable that will download Yarn when run or an `eslint` +placeholder executable that will download ESLint when run. From c3f405d3f5d11ae841ecaed178a1fbeeb7497eb8 Mon Sep 17 00:00:00 2001 From: Geoffrey Booth Date: Sat, 30 Mar 2024 07:23:29 -0700 Subject: [PATCH 2/4] revise --- doc/contributing/distribution.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/doc/contributing/distribution.md b/doc/contributing/distribution.md index 41b58dd074dd2d..b6723c058280f4 100644 --- a/doc/contributing/distribution.md +++ b/doc/contributing/distribution.md @@ -28,8 +28,15 @@ that doing so is not a breaking change. ## Placeholder executables -Installing Node.js will not create "placeholder" executables: commands that -refer to software that is not distributed with Node.js, but instead would be -downloaded when the command is run. For example, Node.js will not create a -`yarn` placeholder executable that will download Yarn when run or an `eslint` -placeholder executable that will download ESLint when run. +Installing Node.js will not create "placeholder" executables for package +managers. A placeholder executable is a binary, symlink or script that has a +name that refers to software that is not distributed with Node.js, but instead +would be downloaded when the executable is run. For example, Node.js will not +create `yarn` or `download_yarn` placeholder executables that will download Yarn +when run. Node.js includes `npm` and `npx` executables, but these are not +placeholders because the name of the executable refers to software that is +contained within the Node.js distribution. + +Adding placeholder executables that refer to other types of software besides +package managers will first require an affirmative vote of the Node.js Technical +Steering Committee. From 6268575f0b5c33ba04c8b4ec1997dd582d27e74b Mon Sep 17 00:00:00 2001 From: Geoffrey Booth Date: Wed, 3 Apr 2024 05:59:37 -0700 Subject: [PATCH 3/4] Update distribution.md Co-authored-by: Ruben Bridgewater --- doc/contributing/distribution.md | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/doc/contributing/distribution.md b/doc/contributing/distribution.md index b6723c058280f4..24d11c89acb4bc 100644 --- a/doc/contributing/distribution.md +++ b/doc/contributing/distribution.md @@ -28,15 +28,7 @@ that doing so is not a breaking change. ## Placeholder executables -Installing Node.js will not create "placeholder" executables for package -managers. A placeholder executable is a binary, symlink or script that has a -name that refers to software that is not distributed with Node.js, but instead -would be downloaded when the executable is run. For example, Node.js will not -create `yarn` or `download_yarn` placeholder executables that will download Yarn -when run. Node.js includes `npm` and `npx` executables, but these are not -placeholders because the name of the executable refers to software that is -contained within the Node.js distribution. - -Adding placeholder executables that refer to other types of software besides -package managers will first require an affirmative vote of the Node.js Technical -Steering Committee. +A placeholder executable is a binary, symlink or script that has a name that refers to software that is not distributed with Node.js, but instead would be downloaded when the executable is run. + +Adding placeholder executables has a high boundary to be included in Node.js as it has a strong impact on the security side as well as the problem that it provides a strong support for a specific project outside of Node.js, which Node.js tries to avoid. Node.js is not going to support any outside project without a very strong reason to do so. +It therefore requires an affirmative vote of the Node.js Technical Steering Committee to include any such placeholder executables. From ec1b3d0eccc05f583b7bafdd207145d3231d7147 Mon Sep 17 00:00:00 2001 From: Geoffrey Booth Date: Wed, 3 Apr 2024 10:15:23 -0700 Subject: [PATCH 4/4] Rewrap --- doc/contributing/distribution.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/doc/contributing/distribution.md b/doc/contributing/distribution.md index 24d11c89acb4bc..d60f2cebf966e4 100644 --- a/doc/contributing/distribution.md +++ b/doc/contributing/distribution.md @@ -28,7 +28,14 @@ that doing so is not a breaking change. ## Placeholder executables -A placeholder executable is a binary, symlink or script that has a name that refers to software that is not distributed with Node.js, but instead would be downloaded when the executable is run. - -Adding placeholder executables has a high boundary to be included in Node.js as it has a strong impact on the security side as well as the problem that it provides a strong support for a specific project outside of Node.js, which Node.js tries to avoid. Node.js is not going to support any outside project without a very strong reason to do so. -It therefore requires an affirmative vote of the Node.js Technical Steering Committee to include any such placeholder executables. +A placeholder executable is a binary, symlink or script that has a name that +refers to software that is not distributed with Node.js, but instead would be +downloaded when the executable is run. + +Adding placeholder executables has a high boundary to be included in Node.js as +it has a strong impact on the security side as well as the problem that it +provides a strong support for a specific project outside of Node.js, which +Node.js tries to avoid. Node.js is not going to support any outside project +without a very strong reason to do so. It therefore requires an affirmative vote +of the Node.js Technical Steering Committee to include any such placeholder +executables.