Overview

File DEBUG.md of Package kando

# Kando OBS Package Debug Log

## How the Process Should Work

1. **Source preparation**: Extract source tarball, apply patch to convert git+ssh URLs to git+https in package-lock.json
2. **Dependency vendoring**: obs-service-node_modules downloads all npm dependencies (including git dependencies) and packages them into node_modules.obscpio
3. **Build environment**: OBS build VM has NO network access
4. **Dependency installation**: local-npm-registry serves vendored tarballs from node_modules.obscpio as a local npm registry
5. **Git dependencies handling**: For git dependencies, npm should either:
   - Use the vendored tarballs served by local-npm-registry, OR
   - Clone from git using https (requires network, which we don't have)
6. **Build**: npm run make compiles the Electron app

## Current Problem

npm is trying to fetch git dependencies directly from GitHub even though they're vendored in node_modules.obscpio.

**Error**: `npm error command git --no-replace-objects ls-remote ssh://git@github.com/Jelmerro/dbus-final.git`

After adding git config to rewrite ssh->https: `fatal: unable to access 'https://github.com/Jelmerro/dbus-final.git/': SSL certificate problem`

## What We've Tried and Ruled Out

### 1. ✅ Patch package-lock.json to use https instead of ssh
- Created fix-git-ssh-urls.patch
- Converts `git+ssh://git@github.com/` to `git+https://github.com/`
- Result: Patch applies successfully but npm still tries to fetch from git

### 2. ✅ Regenerate node_modules.obscpio with patched package-lock.json
- Added `input` parameter to _service file
- Used `--download` and `--download-always` flags
- Result: Successfully downloaded fresh tarballs with https URLs
- Files created: dbus-final-*.tgz, dragdroptouch-*.tgz, node-gyp-*.tgz

### 3. ✅ Add git config to rewrite ssh URLs to https
- Added `git config --global url."https://github.com/".insteadOf "ssh://git@github.com/"`
- Result: Git now tries to use https, but hits SSL certificate error (no network in build)

### 4. ❌ Ruled out: Tarballs contain ssh URLs
- Checked: Extracted node_modules.obscpio and inspected dbus-final tarball
- Result: No git+ssh URLs found in vendored tarballs

### 5. ❌ Ruled out: obs-service-node_modules not downloading
- Checked: Service successfully downloaded all dependencies with --download-always
- Result: 193MB archive with 1177 packages including git dependencies

## Root Cause Analysis

The fundamental issue is that **npm treats git dependencies differently from registry dependencies**:

1. When package-lock.json has `"resolved": "git+https://..."`, npm tries to clone via git
2. local-npm-registry serves tarballs for registry dependencies, but git dependencies bypass the registry
3. Even with vendored tarballs, npm still tries to verify/fetch from git URLs in package-lock.json

## Future Steps to Try

### Option A: Modify package-lock.json to use file:// URLs (NEXT)
Convert git dependency URLs in package-lock.json from:
```json
"resolved": "git+https://github.com/Jelmerro/dbus-final.git#3e43f60..."
```
To:
```json
"resolved": "file:../dbus-final-3e43f60....tgz"
```

This requires modifying the patch or adding a post-patch script.

### Option B: Pre-install git dependencies before running local-npm-registry
1. Extract git dependency tarballs
2. Install them directly with npm install file://...
3. Then run local-npm-registry for remaining dependencies

### Option C: Remove git dependencies from package-lock.json
After patching, remove the git dependency entries entirely and let npm install them from node_modules if already present.

### Option D: Configure npm to not verify git dependencies
Try: `npm config set git-tag-version false` or similar to prevent git fetching.

### Option E: Install dependencies in two phases
1. First pass: Install git dependencies manually from tarballs
2. Second pass: Run local-npm-registry for registry dependencies

## Current Status - Revision 38

**MAJOR PROGRESS! ✓ Git dependency issue SOLVED!**

Solution implemented:
1. Manually extract git dependencies into node_modules before npm install
2. Remove package-lock.json (has git URLs)
3. Modify package.json to replace github: deps with version numbers
4. Let npm install regenerate package-lock.json without git deps

Result: No more git/SSH/codeload errors!

**Revision 39 - Back to git error**:
- Removed git deps from package.json
- Extracted git deps into node_modules
- Deleted package-lock.json
- BUT: npm (via local-npm-registry) still tries to fetch node-gyp from GitHub

**Remaining issue**: The `electron` package likely has `@electron/node-gyp` as a git dependency in its own metadata
- When npm installs electron, it tries to resolve node-gyp from git URL
- Even though node-gyp is already in node_modules, npm wants to verify/update it
- This is a fundamental limitation of local-npm-registry (see issue #2)

**Potential final solutions**:
1. Fork/patch local-npm-registry to handle git deps (complex)
2. Patch electron's package.json to remove node-gyp git dep (might break build)
3. Find a way to make npm skip verification of pre-installed packages
4. Contact package maintainer for alternative approach

## Revision 40 - SOLUTION FOUND! ✓

**Discovery**: Found working solution in obs-service-node_modules issue #22 comment by AdamMajer
- Reference package: server:database:postgresql/pgadmin4
- Approach: Replace git URLs with npm registry versions where available

**Key Insight**: Some packages ARE published to npm registry:
- ✅ `@dragdroptouch/drag-drop-touch` → version `2.0.3` (published to npm)
- ✅ `@electron/node-gyp` → version `10.2.0-electron.2` (published to npm)
- ❌ `dbus-final` → NOT published to npm (GitHub only)

**Final Solution**:
1. Patch package.json to replace git URLs with npm versions for packages that exist on npm
2. For dbus-final (not on npm): Keep as vendored tarball and install via file:// URL
3. This allows obs-service-node_modules to download the published packages normally
4. Only dbus-final needs special handling as a file:// dependency

## Revision 41 - Fix @electron/node-gyp in BOTH locations

**Problem discovered**: git URLs can appear in MULTIPLE locations in package-lock.json:
- Line 638: `node_modules/@electron/node-gyp` resolved field
- Line 817: `@electron/rebuild` dependencies field

**Lesson**: Must patch ALL occurrences of git URLs, not just the package definition!

## Revision 42 - Use obs_scm for dbus-final (CLEANER SOLUTION!)

**Improvement**: Instead of manually extracting tarballs in spec file, use obs_scm service!

**Added to _service**:
```xml
<service name="obs_scm" mode="manual">
  <param name="scm">git</param>
  <param name="url">https://github.com/Jelmerro/dbus-final.git</param>
  <param name="revision">3e43f60d80bbcdf0dfa0b59b838097d6af4d17ba</param>
  <param name="filename">dbus-final</param>
  <param name="version">0.0.0+git3e43f60</param>
</service>
```

**Result**: Generates `dbus-final-0.0.0+git3e43f60.obscpio` CPIO archive

**Benefits**:
- All dependency downloads handled by OBS services
- More maintainable - no manual tarball management
- Standard OBS workflow for git dependencies
openSUSE Build Service is sponsored by
Places