Date: Wed, 30 Oct 2019 21:16:55 +0100 From: Willem Jan Withagen <wjw@digiware.nl> To: Yuri <yuri@rawbw.com>, "ports@freebsd.org" <ports@freebsd.org> Subject: Re: packaging a port that uses npm during build. Message-ID: <4566de44-a796-d449-242b-657420266a20@digiware.nl> In-Reply-To: <1455167b-62ca-0601-ff27-e86fa54baecf@rawbw.com> References: <ed00bd7d-c13c-f7ec-1fbb-48b97f242a6c@digiware.nl> <1455167b-62ca-0601-ff27-e86fa54baecf@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30-10-2019 18:12, Yuri wrote: > On 2019-10-28 04:17, Willem Jan Withagen wrote: >> >> I think I read once somewhere that there is also a "flag" that >> indicates that the port wants network access during the build. Is >> that feasible? > > > No, this isn't/shouldn't be possible. > > > Please look at how misc/netron is done. It pre-packages NPM modules > into a separate distfile. > > > CAVEAT: Please keep in mind that NodeJS downloads JS files from a > multitude of GitHub locations, which makes this technology > fundamentally insecure because any malicious or otherwise harmful > change in any of the hundreds of projects would be automatically > propagated into the FreeBSD package and further to the users. For this > reason NodeJS software is less secure and for example RPM and Debian > packages often (or always) just don't include such software into their > distributions. > > > misc/netron only has a few js files installed so it is okay. You can > also do the same with more complex projects, with the above caveat. Yes, I know, ans sympatise with your concerns. But then this is a port and I don't make the rules in the project. I'll take a look. But my project includes about a npm 62 toplevel packages. :-( and many more getting installed as extra dependancies. So that is not really an option.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4566de44-a796-d449-242b-657420266a20>