From owner-freebsd-ports@freebsd.org Tue Feb 27 00:41:11 2018 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A264F31058 for ; Tue, 27 Feb 2018 00:41:11 +0000 (UTC) (envelope-from saper@saper.info) Received: from m.saper.info (m.saper.info [IPv6:2a01:4f8:a0:7383::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "saper.info", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F24E5754B1 for ; Tue, 27 Feb 2018 00:41:10 +0000 (UTC) (envelope-from saper@saper.info) Received: from m.saper.info (saper@m.saper.info [IPv6:2a01:4f8:a0:7383::]) by m.saper.info (8.15.2/8.15.2) with ESMTPS id w1R0f8Vq013697 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 27 Feb 2018 00:41:08 GMT (envelope-from saper@saper.info) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=saper.info; s=Sep2014; t=1519692068; bh=+ru8UrfgbWLpINlQLt2RpoWhQs3q19ksKhy1xwlX8KQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=C0YiT1W6jmZ5sqwfiOLeBZBeC462vpaCBhd50fDQvWkxBsOU69rjHfboifTx23zua u5a2EjvKpGjwKQzhwWokqh2U3c69YageESZczZqxCzVIjzuHranNXl8Mp7huChwEj/ bYcbtfKcJXedqw8meS/h16HVS5b0VBfb96l75HyA= Received: from localhost (saper@localhost) by m.saper.info (8.15.2/8.15.2/Submit) with ESMTP id w1R0f7Ho013694; Tue, 27 Feb 2018 00:41:08 GMT (envelope-from saper@saper.info) X-Authentication-Warning: m.saper.info: saper owned process doing -bs Date: Tue, 27 Feb 2018 00:41:07 +0000 From: Marcin Cieslak To: Yuri cc: freebsd-ports@freebsd.org Subject: Re: poudriere: "Permission denied" in the extract phase? In-Reply-To: Message-ID: References: <371FB508-F90E-41E4-8B3D-85F7DA54FFAA@adamw.org> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="1563967779-489936818-1519692068=:2659" X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Feb 2018 00:41:11 -0000 --1563967779-489936818-1519692068=:2659 Content-Type: text/plain; charset=US-ASCII On Sun, 25 Feb 2018, Yuri wrote: > On 02/25/18 05:37, Marcin Cieslak wrote: > > Yes, this is my private port that I am using to produce FreeBSD binaries > > for node-sass. Getting binary npm modules into our ports tree is another > > conversation. > > > > The problem here is that a whole thing worked for me before for months > > so I am aware of all those limitations for particular build phases > > (it took me long to figure out that). > > > npm is an extremely volatile technology. Some package might work now, and then > break in a week due to a dependency package update. > > It continuously automatically updates files that are downloaded as > dependencies. > > NodeJS is largely incompatible with the FreeBSD ports system because of this > volatility. > > NodeJS is also a very insecure technology. It brings files directly from > github without any vetting. So if somebody will update some github package > with malware, it is extremely likely that next day this malware will end up on > your production servers. There is nobody in between, you have to always trust > hundreds of parties. I think I have some idea how we can tame this somewhat without allowing for a wild fetch. It seems that I need to learn more about the code that checks the completness of the distfiles, since "make checksum" insists on redoing things all again: # rm -rf distinfo # make makesum # cat distinfo TIMESTAMP = 1519691985 SHA256 (sass-node-sass-v4.7.2_GH0.tar.gz) = 21cdea5c6bf73825eaec06e78a0bcc54ed75c0953e05c72fe4b4316d756b9e35 SIZE (sass-node-sass-v4.7.2_GH0.tar.gz) = 398635 # env TERM=dumb make checksum ===> License MIT accepted by the user ===> node-sass-4.7.2 depends on file: /usr/local/sbin/pkg - found ===> node-sass-4.7.2 depends on package: npm>=0 - found ===> Fetching all distfiles required by node-sass-4.7.2 for building /bin/mkdir -p /usr/ports/distfiles/node-sass /bin/mkdir -p /usr/ports/distfiles/npm cp -f /home/saper/sw/FreeBSD/ports/textproc/node-sass/files/package-lock.json /usr/ports/distfiles/node-sass cp -f /home/saper/sw/FreeBSD/ports/textproc/node-sass/files/package.json /usr/ports/distfiles/node-sass (cd /usr/ports/distfiles/node-sass && /usr/bin/env NPM_CONFIG_CACHE=/usr/ports/distfiles/npm npm install --ignore-scripts) npm WARN lifecycle node-sass@4.7.2~install: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 node scripts/install.js /usr/ports/distfiles/node-sass npm WARN lifecycle node-sass@4.7.2~postinstall: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 node scripts/build.js /usr/ports/distfiles/node-sass npm WARN prepublish-on-install As of npm@5, `prepublish` scripts are deprecated. npm WARN prepublish-on-install Use `prepare` for build steps and `prepublishOnly` for upload-only. npm WARN prepublish-on-install See the deprecation note in `npm help scripts` for more information. npm WARN lifecycle node-sass@4.7.2~prepublish: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 not-in-install && node scripts/prepublish.js || in-install /usr/ports/distfiles/node-sass up to date in 1.952s => SHA256 Checksum OK for sass-node-sass-v4.7.2_GH0.tar.gz. # env TERM=dumb make checksum ===> License MIT accepted by the user ===> node-sass-4.7.2 depends on file: /usr/local/sbin/pkg - found ===> node-sass-4.7.2 depends on package: npm>=0 - found ===> Fetching all distfiles required by node-sass-4.7.2 for building /bin/mkdir -p /usr/ports/distfiles/node-sass /bin/mkdir -p /usr/ports/distfiles/npm cp -f /home/saper/sw/FreeBSD/ports/textproc/node-sass/files/package-lock.json /usr/ports/distfiles/node-sass cp -f /home/saper/sw/FreeBSD/ports/textproc/node-sass/files/package.json /usr/ports/distfiles/node-sass (cd /usr/ports/distfiles/node-sass && /usr/bin/env NPM_CONFIG_CACHE=/usr/ports/distfiles/npm npm install --ignore-scripts) npm WARN lifecycle node-sass@4.7.2~install: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 node scripts/install.js /usr/ports/distfiles/node-sass npm WARN lifecycle node-sass@4.7.2~postinstall: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 node scripts/build.js /usr/ports/distfiles/node-sass npm WARN prepublish-on-install As of npm@5, `prepublish` scripts are deprecated. npm WARN prepublish-on-install Use `prepare` for build steps and `prepublishOnly` for upload-only. npm WARN prepublish-on-install See the deprecation note in `npm help scripts` for more information. npm WARN lifecycle node-sass@4.7.2~prepublish: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 not-in-install && node scripts/prepublish.js || in-install /usr/ports/distfiles/node-sass up to date in 1.921s => SHA256 Checksum OK for sass-node-sass-v4.7.2_GH0.tar.gz. So this is not poudriere's fault. Marcin --1563967779-489936818-1519692068=:2659 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: BASE64 Content-Description: S/MIME Cryptographic Signature Content-Disposition: attachment; filename=smime.p7s MIIOSwYJKoZIhvcNAQcCoIIOPDCCDjgCAQExDzANBglghkgBZQMEAgEFADAL BgkqhkiG9w0BBwGgggqQMIIElzCCA3+gAwIBAgIOSBtqCKJEiNNcmz3JSA0w DQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENB IC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNp Z24wHhcNMTYwNjE1MDAwMDAwWhcNMjQwNjE1MDAwMDAwWjBdMQswCQYDVQQG EwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEzMDEGA1UEAxMqR2xv YmFsU2lnbiBQZXJzb25hbFNpZ24gMSBDQSAtIFNIQTI1NiAtIEczMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyrCba00KOKyGuwh9h+/MAcZm ZUF9OxGKA56AADHaDE08rB0WEbgm6J4XvJP3OGQ7cgHdVJu6XMZkRd6EcfjD yRrIwE6oAVWJe57co3gKk/XxvuubSZuUahrcOiv3D2qaHwva4zumubxQQI4f unEzRIJHPiNjaq0cCcZsMcp5pxsEz8aG0sr8Oh80sxKNnzPmuUETLESktfMC pQKHUGmWXLsG6sgCZOezUjDjKpPKW7l4PUt0TEBEyqLhifv9/YPn5C4o10PP daDazZPeKNif2PVQ5u0HRnkFrHh4wmmrMtY22Mse3eR01gD6rEEGWf+gdzuy EQE+ZVlNhCP4gXjdBQIDAQABo4IBZDCCAWAwDgYDVR0PAQH/BAQDAgEGMCcG A1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcDBAYIKwYBBQUHAwkwEgYDVR0T AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlifCwqX3HPgCenpkr2NvMtKYwrEw HwYDVR0jBBgwFoAUj/BLf6guRSSuTVD6Y5qL3uLdG7wwPgYIKwYBBQUHAQEE MjAwMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20v cm9vdHIzMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2ln bi5jb20vcm9vdC1yMy5jcmwwWQYDVR0gBFIwUDALBgkrBgEEAaAyASgwQQYJ KwYBBAGgMgFfMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNp Z24uY29tL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQCxh3ekjKKy RrUdfI6D1U7qUggdFLksiU+KiIqJzJG6GXcQ2KiBy2tF3+KYb0IixXMpIVli VXlcD5Vh4tiMxJ4WONMFt3f7/53gSXLf24WMwErubc+mGMzgUGE5HKC98PcK UV/5pPggQdzPxCBNeiXnLU1tCGYhPatFTDhUBGaVhBeuUCbgR9gpXJ9guqrD OVwouKvovdIeI5KEAcoAAiSL6naeLk/GbKUaBFa2RxXC17e+YyBWtWlWDEM3 1V8pUIx76lkO8IJYREhLcg/LnyoYy5wcrzI6pbX2vw1x/jR3GHSC1AEdoqbE xui2XLLlSa6y9yQNgdkPz7GTLmpwIT+dMIIF8TCCBNmgAwIBAgIMGk4Oe/1h 2+wMOby/MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQK ExBHbG9iYWxTaWduIG52LXNhMTMwMQYDVQQDEypHbG9iYWxTaWduIFBlcnNv bmFsU2lnbiAxIENBIC0gU0hBMjU2IC0gRzMwHhcNMTcwNTI1MDg0NDE2WhcN MjAwNTI1MDg0NDE2WjA8MRkwFwYDVQQDDBBzYXBlckBzYXBlci5pbmZvMR8w HQYJKoZIhvcNAQkBFhBzYXBlckBzYXBlci5pbmZvMIICIjANBgkqhkiG9w0B AQEFAAOCAg8AMIICCgKCAgEA2sO3aQNus/oe4ZBZ4fu1Y1mzxnUYAkb4k/dw gMFc2Kd0eRoOY0AHj4rTEi/vVzzizxjLbEwXzQ9cBEAu/PqS8WsOmhZXtlfi szPDmP7ZpOwmNTWKSd9O7jHu9uTCGfEOsocQNYH2ULD1gVFkgKb8jHf+3u9d uCzh6qMomTtwLrCGEP70Lq385xUzRaD6qbOeIB99tpzgvMR6Z0GPTt4z8tLM kfdtohq5llwZ5vYnj/hJohVS9iLMQMHW4nuLj/mLZNaYE1CWJBT1rBwn5YPJ uR6811O9eAP7aX4iG8k1jkiBh+QNgGRBIK4GIdqy7IVRhA7v2OlpLYHMk4zP 9Fs3M+56QromVKBnxfzLhuYMUK6ugj9jwskNVitqlEFUeyfgvmR1jnPRp1Nd XGJllTNwGicR8wkaRj14RxfrvTZfwXs8OBODKFupqun/tNzdpOgyHMGQACss 9yv2SnLGCJvJK3rGIdRZEiUhLZH/Ct4L92dBhev+SjUqWKbHb4yIlGMgLdoh nwqatuWw7iyOeInjcinX7ghiIKDWhulUN493Fzl6kaUBtIIcrb7jzZ2pHAQT WUmuVnCTHk6NtoWB09lvuK77fw4GfxLWDFWkBQiJYPVBrmxlrkCKzrWdTMfS W9BiEC10jT1sSimUBIjDz22RkfsApeBJoAIWjiOZogILu9MCAwEAAaOCAdAw ggHMMA4GA1UdDwEB/wQEAwIFoDCBngYIKwYBBQUHAQEEgZEwgY4wTQYIKwYB BQUHMAKGQWh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dz cGVyc29uYWxzaWduMXNoYTJnM29jc3AuY3J0MD0GCCsGAQUFBzABhjFodHRw Oi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3NwZXJzb25hbHNpZ24xc2hhMmcz MEwGA1UdIARFMEMwQQYJKwYBBAGgMgEoMDQwMgYIKwYBBQUHAgEWJmh0dHBz Oi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAkGA1UdEwQCMAAw RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9n c3BlcnNvbmFsc2lnbjFzaGEyZzMuY3JsMBsGA1UdEQQUMBKBEHNhcGVyQHNh cGVyLmluZm8wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1Ud DgQWBBReBINaGUKUo7HCrIjsKLKERu6ooTAfBgNVHSMEGDAWgBSWJ8LCpfcc +AJ6emSvY28y0pjCsTANBgkqhkiG9w0BAQsFAAOCAQEAC0VK968ySq/6B+Kd ecjVThQOKtVXuG17Krfk0xz7OPYR/V+qZtBFm2Uc6tkUEmAmq3Tyf+SE3TTX Q58eJFq0uCTUhIY714ioJs1uVWBz8rPyJ3swkOfDaUXUxkQsBsf73VfKjUk4 kB5MTrApLYUe35NmEY3FqyyX13elhW1tp864vOKM2Git61cYoRn/bwd/z2JM Zkxwkd5JgvmM+p4Da+WO4CUsGzdrZEH8X/8NQIzWtUDIh7VEQZFX5fot/KvH Am8AajtpmNqTfMyg6LfcfJUXSFqXn/KEWu4Td62vX6Pd70dYKUZxnLwYvGqG A4Ktrp9zyrUzxLbmdaPln7CstjGCA38wggN7AgEBMG0wXTELMAkGA1UEBhMC QkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExMzAxBgNVBAMTKkdsb2Jh bFNpZ24gUGVyc29uYWxTaWduIDEgQ0EgLSBTSEEyNTYgLSBHMwIMGk4Oe/1h 2+wMOby/MA0GCWCGSAFlAwQCAQUAoIHkMBgGCSqGSIb3DQEJAzELBgkqhkiG 9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE4MDIyNzAwNDEwN1owLwYJKoZIhvcN AQkEMSIEINi1j47xJeGADf0EYjrCjdN/iAWPAuOv8I8IWoFIDOwAMHkGCSqG SIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgB ZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIC AHX4gkkOW/H20SYNQzRJW22gmBvumUsnFn+MgTzZzignFxvlANi0yTkj1gP5 d6rRu95utNLMI576bJ6gTQIa8gMJl5UtAZFbh/7MoQgJB5eeXl4wMWafhL79 c5TBz082EzYwNnY/0FBdGDXL986rrEdKPRzpS74m7XmQ0vY5VwccFfCOu9KR AFe/ShHOelS87ODv79vEJY68MXV6DI5zjSM8P2n7RDPkuoRax9DyXimZJe4+ aNIMvdmMRadlQs+gpGf2iMVIMr51oU8jg6gkveSzZckTyahbCb9giYJ5wOll 0ZZADJrGhomMUMqsTCkMInOVtTdd2gZO+MdBXC+7mx/eSRaa3ETbLPdNDmBT XvGcoYW+XVDgXv2Rs4ktWd2ygsWj6W3bqe4CkPGbfZH9MCX+SCtb+t+NcVVm EiVs6pqGP39rIQ607kDk7Wrsyp4ItH/waIHiPba1X1B9aO6gXTDkRaa32ndz KR7yF0yg75a0WbCbFuzTEdZcGUvpB8fjtdYEV118bhP8eMEW9Jz/sELrE4+O FDRejF39IvbCjH7kg6hPARyUO64yLctAohmK7RZXNkdyQF9fSm2NsuPON8Du PsdDspDYpB3nN1eMVu4rd5NQaYzP0HXD1wucguY3Xz4ZM0lhRCFyxgdAWaLF l/XrJcam04iphm7WxrcU2LLW --1563967779-489936818-1519692068=:2659--