Date: Wed, 30 Oct 2019 10:12:59 -0700 From: Yuri <yuri@rawbw.com> To: Willem Jan Withagen <wjw@digiware.nl>, "ports@freebsd.org" <ports@freebsd.org> Subject: Re: packaging a port that uses npm during build. Message-ID: <1455167b-62ca-0601-ff27-e86fa54baecf@rawbw.com> In-Reply-To: <ed00bd7d-c13c-f7ec-1fbb-48b97f242a6c@digiware.nl> References: <ed00bd7d-c13c-f7ec-1fbb-48b97f242a6c@digiware.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2019-10-28 04:17, Willem Jan Withagen wrote: > > I think I read once somewhere that there is also a "flag" that > indicates that the port wants network access during the build. Is that > feasible? No, this isn't/shouldn't be possible. Please look at how misc/netron is done. It pre-packages NPM modules into a separate distfile. CAVEAT: Please keep in mind that NodeJS downloads JS files from a multitude of GitHub locations, which makes this technology fundamentally insecure because any malicious or otherwise harmful change in any of the hundreds of projects would be automatically propagated into the FreeBSD package and further to the users. For this reason NodeJS software is less secure and for example RPM and Debian packages often (or always) just don't include such software into their distributions. misc/netron only has a few js files installed so it is okay. You can also do the same with more complex projects, with the above caveat. Best, Yuri
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1455167b-62ca-0601-ff27-e86fa54baecf>