On Sun, 25 Feb 2018, Yuri wrote: > On 02/25/18 05:37, Marcin Cieslak wrote: > > Yes, this is my private port that I am using to produce FreeBSD binaries > > for node-sass. Getting binary npm modules into our ports tree is another > > conversation. > > > > The problem here is that a whole thing worked for me before for months > > so I am aware of all those limitations for particular build phases > > (it took me long to figure out that). > > > npm is an extremely volatile technology. Some package might work now, and then > break in a week due to a dependency package update. > > It continuously automatically updates files that are downloaded as > dependencies. > > NodeJS is largely incompatible with the FreeBSD ports system because of this > volatility. > > NodeJS is also a very insecure technology. It brings files directly from > github without any vetting. So if somebody will update some github package > with malware, it is extremely likely that next day this malware will end up on > your production servers. There is nobody in between, you have to always trust > hundreds of parties.
I think I have some idea how we can tame this somewhat without allowing for a wild fetch. It seems that I need to learn more about the code that checks the completness of the distfiles, since "make checksum" insists on redoing things all again: # rm -rf distinfo # make makesum # cat distinfo TIMESTAMP = 1519691985 SHA256 (sass-node-sass-v4.7.2_GH0.tar.gz) = 21cdea5c6bf73825eaec06e78a0bcc54ed75c0953e05c72fe4b4316d756b9e35 SIZE (sass-node-sass-v4.7.2_GH0.tar.gz) = 398635 # env TERM=dumb make checksum ===> License MIT accepted by the user ===> node-sass-4.7.2 depends on file: /usr/local/sbin/pkg - found ===> node-sass-4.7.2 depends on package: npm>=0 - found ===> Fetching all distfiles required by node-sass-4.7.2 for building /bin/mkdir -p /usr/ports/distfiles/node-sass /bin/mkdir -p /usr/ports/distfiles/npm cp -f /home/saper/sw/FreeBSD/ports/textproc/node-sass/files/package-lock.json /usr/ports/distfiles/node-sass cp -f /home/saper/sw/FreeBSD/ports/textproc/node-sass/files/package.json /usr/ports/distfiles/node-sass (cd /usr/ports/distfiles/node-sass && /usr/bin/env NPM_CONFIG_CACHE=/usr/ports/distfiles/npm npm install --ignore-scripts) npm WARN lifecycle node-sass@4.7.2~install: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 node scripts/install.js /usr/ports/distfiles/node-sass npm WARN lifecycle node-sass@4.7.2~postinstall: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 node scripts/build.js /usr/ports/distfiles/node-sass npm WARN prepublish-on-install As of npm@5, `prepublish` scripts are deprecated. npm WARN prepublish-on-install Use `prepare` for build steps and `prepublishOnly` for upload-only. npm WARN prepublish-on-install See the deprecation note in `npm help scripts` for more information. npm WARN lifecycle node-sass@4.7.2~prepublish: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 not-in-install && node scripts/prepublish.js || in-install /usr/ports/distfiles/node-sass up to date in 1.952s => SHA256 Checksum OK for sass-node-sass-v4.7.2_GH0.tar.gz. # env TERM=dumb make checksum ===> License MIT accepted by the user ===> node-sass-4.7.2 depends on file: /usr/local/sbin/pkg - found ===> node-sass-4.7.2 depends on package: npm>=0 - found ===> Fetching all distfiles required by node-sass-4.7.2 for building /bin/mkdir -p /usr/ports/distfiles/node-sass /bin/mkdir -p /usr/ports/distfiles/npm cp -f /home/saper/sw/FreeBSD/ports/textproc/node-sass/files/package-lock.json /usr/ports/distfiles/node-sass cp -f /home/saper/sw/FreeBSD/ports/textproc/node-sass/files/package.json /usr/ports/distfiles/node-sass (cd /usr/ports/distfiles/node-sass && /usr/bin/env NPM_CONFIG_CACHE=/usr/ports/distfiles/npm npm install --ignore-scripts) npm WARN lifecycle node-sass@4.7.2~install: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 node scripts/install.js /usr/ports/distfiles/node-sass npm WARN lifecycle node-sass@4.7.2~postinstall: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 node scripts/build.js /usr/ports/distfiles/node-sass npm WARN prepublish-on-install As of npm@5, `prepublish` scripts are deprecated. npm WARN prepublish-on-install Use `prepare` for build steps and `prepublishOnly` for upload-only. npm WARN prepublish-on-install See the deprecation note in `npm help scripts` for more information. npm WARN lifecycle node-sass@4.7.2~prepublish: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 not-in-install && node scripts/prepublish.js || in-install /usr/ports/distfiles/node-sass up to date in 1.921s => SHA256 Checksum OK for sass-node-sass-v4.7.2_GH0.tar.gz. So this is not poudriere's fault. Marcin
smime.p7s
Description: S/MIME Cryptographic Signature
