Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Feb 2018 00:41:07 +0000
From:      Marcin Cieslak <saper@saper.info>
To:        Yuri <yuri@rawbw.com>
Cc:        freebsd-ports@freebsd.org
Subject:   Re: poudriere: "Permission denied" in the extract phase?
Message-ID:  <nycvar.OFS.7.76.6.1802270037540.2659@z.fncre.vasb>
In-Reply-To: <f29657cf-ec92-3936-4867-9f8b61b7ff47@rawbw.com>
References:  <nycvar.OFS.7.76.6.1802250231290.2659@z.fncre.vasb> <nycvar.OFS.7.76.6.1802250252140.2659@z.fncre.vasb> <371FB508-F90E-41E4-8B3D-85F7DA54FFAA@adamw.org> <nycvar.OFS.7.76.6.1802251254141.2659@z.fncre.vasb> <f29657cf-ec92-3936-4867-9f8b61b7ff47@rawbw.com>

next in thread | previous in thread | raw e-mail | index | archive | help
--1563967779-489936818-1519692068=:2659
Content-Type: text/plain; charset=US-ASCII

On Sun, 25 Feb 2018, Yuri wrote:

> On 02/25/18 05:37, Marcin Cieslak wrote:
> > Yes, this is my private port that I am using to produce FreeBSD binaries
> > for node-sass. Getting binary npm modules into our ports tree is another
> > conversation.
> > 
> > The problem here is that a whole thing worked for me before for months
> > so I am aware of all those limitations for particular build phases
> > (it took me long to figure out that).
> 
> 
> npm is an extremely volatile technology. Some package might work now, and then
> break in a week due to a dependency package update.
> 
> It continuously automatically updates files that are downloaded as
> dependencies.
> 
> NodeJS is largely incompatible with the FreeBSD ports system because of this
> volatility.
> 
> NodeJS is also a very insecure technology. It brings files directly from
> github without any vetting. So if somebody will update some github package
> with malware, it is extremely likely that next day this malware will end up on
> your production servers. There is nobody in between, you have to always trust
> hundreds of parties.

I think I have some idea how we can tame this somewhat without allowing for
a wild fetch.

It seems that I need to learn more about the code that checks the completness
of the distfiles, since "make checksum" insists on redoing things all again:

# rm -rf distinfo 
# make makesum
# cat distinfo
TIMESTAMP = 1519691985
SHA256 (sass-node-sass-v4.7.2_GH0.tar.gz) = 21cdea5c6bf73825eaec06e78a0bcc54ed75c0953e05c72fe4b4316d756b9e35
SIZE (sass-node-sass-v4.7.2_GH0.tar.gz) = 398635
# env TERM=dumb make checksum
===>  License MIT accepted by the user
===>   node-sass-4.7.2 depends on file: /usr/local/sbin/pkg - found
===>   node-sass-4.7.2 depends on package: npm>=0 - found
===> Fetching all distfiles required by node-sass-4.7.2 for building
/bin/mkdir -p /usr/ports/distfiles/node-sass
/bin/mkdir -p /usr/ports/distfiles/npm
cp -f /home/saper/sw/FreeBSD/ports/textproc/node-sass/files/package-lock.json /usr/ports/distfiles/node-sass
cp -f /home/saper/sw/FreeBSD/ports/textproc/node-sass/files/package.json /usr/ports/distfiles/node-sass
(cd /usr/ports/distfiles/node-sass && /usr/bin/env NPM_CONFIG_CACHE=/usr/ports/distfiles/npm npm install --ignore-scripts)
npm WARN lifecycle node-sass@4.7.2~install: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 node scripts/install.js /usr/ports/distfiles/node-sass
npm WARN lifecycle node-sass@4.7.2~postinstall: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 node scripts/build.js /usr/ports/distfiles/node-sass
npm WARN prepublish-on-install As of npm@5, `prepublish` scripts are deprecated.
npm WARN prepublish-on-install Use `prepare` for build steps and `prepublishOnly` for upload-only.
npm WARN prepublish-on-install See the deprecation note in `npm help scripts` for more information.
npm WARN lifecycle node-sass@4.7.2~prepublish: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 not-in-install && node scripts/prepublish.js || in-install /usr/ports/distfiles/node-sass
up to date in 1.952s
=> SHA256 Checksum OK for sass-node-sass-v4.7.2_GH0.tar.gz.
# env TERM=dumb make checksum
===>  License MIT accepted by the user
===>   node-sass-4.7.2 depends on file: /usr/local/sbin/pkg - found
===>   node-sass-4.7.2 depends on package: npm>=0 - found
===> Fetching all distfiles required by node-sass-4.7.2 for building
/bin/mkdir -p /usr/ports/distfiles/node-sass
/bin/mkdir -p /usr/ports/distfiles/npm
cp -f /home/saper/sw/FreeBSD/ports/textproc/node-sass/files/package-lock.json /usr/ports/distfiles/node-sass
cp -f /home/saper/sw/FreeBSD/ports/textproc/node-sass/files/package.json /usr/ports/distfiles/node-sass
(cd /usr/ports/distfiles/node-sass && /usr/bin/env NPM_CONFIG_CACHE=/usr/ports/distfiles/npm npm install --ignore-scripts)
npm WARN lifecycle node-sass@4.7.2~install: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 node scripts/install.js /usr/ports/distfiles/node-sass
npm WARN lifecycle node-sass@4.7.2~postinstall: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 node scripts/build.js /usr/ports/distfiles/node-sass
npm WARN prepublish-on-install As of npm@5, `prepublish` scripts are deprecated.
npm WARN prepublish-on-install Use `prepare` for build steps and `prepublishOnly` for upload-only.
npm WARN prepublish-on-install See the deprecation note in `npm help scripts` for more information.
npm WARN lifecycle node-sass@4.7.2~prepublish: cannot run in wd %s %s (wd=%s) node-sass@4.7.2 not-in-install && node scripts/prepublish.js || in-install /usr/ports/distfiles/node-sass
up to date in 1.921s
=> SHA256 Checksum OK for sass-node-sass-v4.7.2_GH0.tar.gz.

So this is not poudriere's fault.

Marcin
--1563967779-489936818-1519692068=:2659
Content-Type: application/pkcs7-signature; name=smime.p7s
Content-Transfer-Encoding: BASE64
Content-Description: S/MIME Cryptographic Signature
Content-Disposition: attachment; filename=smime.p7s

MIIOSwYJKoZIhvcNAQcCoIIOPDCCDjgCAQExDzANBglghkgBZQMEAgEFADAL
BgkqhkiG9w0BBwGgggqQMIIElzCCA3+gAwIBAgIOSBtqCKJEiNNcmz3JSA0w
DQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENB
IC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNp
Z24wHhcNMTYwNjE1MDAwMDAwWhcNMjQwNjE1MDAwMDAwWjBdMQswCQYDVQQG
EwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEzMDEGA1UEAxMqR2xv
YmFsU2lnbiBQZXJzb25hbFNpZ24gMSBDQSAtIFNIQTI1NiAtIEczMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyrCba00KOKyGuwh9h+/MAcZm
ZUF9OxGKA56AADHaDE08rB0WEbgm6J4XvJP3OGQ7cgHdVJu6XMZkRd6EcfjD
yRrIwE6oAVWJe57co3gKk/XxvuubSZuUahrcOiv3D2qaHwva4zumubxQQI4f
unEzRIJHPiNjaq0cCcZsMcp5pxsEz8aG0sr8Oh80sxKNnzPmuUETLESktfMC
pQKHUGmWXLsG6sgCZOezUjDjKpPKW7l4PUt0TEBEyqLhifv9/YPn5C4o10PP
daDazZPeKNif2PVQ5u0HRnkFrHh4wmmrMtY22Mse3eR01gD6rEEGWf+gdzuy
EQE+ZVlNhCP4gXjdBQIDAQABo4IBZDCCAWAwDgYDVR0PAQH/BAQDAgEGMCcG
A1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcDBAYIKwYBBQUHAwkwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlifCwqX3HPgCenpkr2NvMtKYwrEw
HwYDVR0jBBgwFoAUj/BLf6guRSSuTVD6Y5qL3uLdG7wwPgYIKwYBBQUHAQEE
MjAwMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20v
cm9vdHIzMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2ln
bi5jb20vcm9vdC1yMy5jcmwwWQYDVR0gBFIwUDALBgkrBgEEAaAyASgwQQYJ
KwYBBAGgMgFfMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNp
Z24uY29tL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQCxh3ekjKKy
RrUdfI6D1U7qUggdFLksiU+KiIqJzJG6GXcQ2KiBy2tF3+KYb0IixXMpIVli
VXlcD5Vh4tiMxJ4WONMFt3f7/53gSXLf24WMwErubc+mGMzgUGE5HKC98PcK
UV/5pPggQdzPxCBNeiXnLU1tCGYhPatFTDhUBGaVhBeuUCbgR9gpXJ9guqrD
OVwouKvovdIeI5KEAcoAAiSL6naeLk/GbKUaBFa2RxXC17e+YyBWtWlWDEM3
1V8pUIx76lkO8IJYREhLcg/LnyoYy5wcrzI6pbX2vw1x/jR3GHSC1AEdoqbE
xui2XLLlSa6y9yQNgdkPz7GTLmpwIT+dMIIF8TCCBNmgAwIBAgIMGk4Oe/1h
2+wMOby/MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQK
ExBHbG9iYWxTaWduIG52LXNhMTMwMQYDVQQDEypHbG9iYWxTaWduIFBlcnNv
bmFsU2lnbiAxIENBIC0gU0hBMjU2IC0gRzMwHhcNMTcwNTI1MDg0NDE2WhcN
MjAwNTI1MDg0NDE2WjA8MRkwFwYDVQQDDBBzYXBlckBzYXBlci5pbmZvMR8w
HQYJKoZIhvcNAQkBFhBzYXBlckBzYXBlci5pbmZvMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEA2sO3aQNus/oe4ZBZ4fu1Y1mzxnUYAkb4k/dw
gMFc2Kd0eRoOY0AHj4rTEi/vVzzizxjLbEwXzQ9cBEAu/PqS8WsOmhZXtlfi
szPDmP7ZpOwmNTWKSd9O7jHu9uTCGfEOsocQNYH2ULD1gVFkgKb8jHf+3u9d
uCzh6qMomTtwLrCGEP70Lq385xUzRaD6qbOeIB99tpzgvMR6Z0GPTt4z8tLM
kfdtohq5llwZ5vYnj/hJohVS9iLMQMHW4nuLj/mLZNaYE1CWJBT1rBwn5YPJ
uR6811O9eAP7aX4iG8k1jkiBh+QNgGRBIK4GIdqy7IVRhA7v2OlpLYHMk4zP
9Fs3M+56QromVKBnxfzLhuYMUK6ugj9jwskNVitqlEFUeyfgvmR1jnPRp1Nd
XGJllTNwGicR8wkaRj14RxfrvTZfwXs8OBODKFupqun/tNzdpOgyHMGQACss
9yv2SnLGCJvJK3rGIdRZEiUhLZH/Ct4L92dBhev+SjUqWKbHb4yIlGMgLdoh
nwqatuWw7iyOeInjcinX7ghiIKDWhulUN493Fzl6kaUBtIIcrb7jzZ2pHAQT
WUmuVnCTHk6NtoWB09lvuK77fw4GfxLWDFWkBQiJYPVBrmxlrkCKzrWdTMfS
W9BiEC10jT1sSimUBIjDz22RkfsApeBJoAIWjiOZogILu9MCAwEAAaOCAdAw
ggHMMA4GA1UdDwEB/wQEAwIFoDCBngYIKwYBBQUHAQEEgZEwgY4wTQYIKwYB
BQUHMAKGQWh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dz
cGVyc29uYWxzaWduMXNoYTJnM29jc3AuY3J0MD0GCCsGAQUFBzABhjFodHRw
Oi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3NwZXJzb25hbHNpZ24xc2hhMmcz
MEwGA1UdIARFMEMwQQYJKwYBBAGgMgEoMDQwMgYIKwYBBQUHAgEWJmh0dHBz
Oi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAkGA1UdEwQCMAAw
RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9n
c3BlcnNvbmFsc2lnbjFzaGEyZzMuY3JsMBsGA1UdEQQUMBKBEHNhcGVyQHNh
cGVyLmluZm8wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1Ud
DgQWBBReBINaGUKUo7HCrIjsKLKERu6ooTAfBgNVHSMEGDAWgBSWJ8LCpfcc
+AJ6emSvY28y0pjCsTANBgkqhkiG9w0BAQsFAAOCAQEAC0VK968ySq/6B+Kd
ecjVThQOKtVXuG17Krfk0xz7OPYR/V+qZtBFm2Uc6tkUEmAmq3Tyf+SE3TTX
Q58eJFq0uCTUhIY714ioJs1uVWBz8rPyJ3swkOfDaUXUxkQsBsf73VfKjUk4
kB5MTrApLYUe35NmEY3FqyyX13elhW1tp864vOKM2Git61cYoRn/bwd/z2JM
Zkxwkd5JgvmM+p4Da+WO4CUsGzdrZEH8X/8NQIzWtUDIh7VEQZFX5fot/KvH
Am8AajtpmNqTfMyg6LfcfJUXSFqXn/KEWu4Td62vX6Pd70dYKUZxnLwYvGqG
A4Ktrp9zyrUzxLbmdaPln7CstjGCA38wggN7AgEBMG0wXTELMAkGA1UEBhMC
QkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExMzAxBgNVBAMTKkdsb2Jh
bFNpZ24gUGVyc29uYWxTaWduIDEgQ0EgLSBTSEEyNTYgLSBHMwIMGk4Oe/1h
2+wMOby/MA0GCWCGSAFlAwQCAQUAoIHkMBgGCSqGSIb3DQEJAzELBgkqhkiG
9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE4MDIyNzAwNDEwN1owLwYJKoZIhvcN
AQkEMSIEINi1j47xJeGADf0EYjrCjdN/iAWPAuOv8I8IWoFIDOwAMHkGCSqG
SIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgB
ZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC
AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIC
AHX4gkkOW/H20SYNQzRJW22gmBvumUsnFn+MgTzZzignFxvlANi0yTkj1gP5
d6rRu95utNLMI576bJ6gTQIa8gMJl5UtAZFbh/7MoQgJB5eeXl4wMWafhL79
c5TBz082EzYwNnY/0FBdGDXL986rrEdKPRzpS74m7XmQ0vY5VwccFfCOu9KR
AFe/ShHOelS87ODv79vEJY68MXV6DI5zjSM8P2n7RDPkuoRax9DyXimZJe4+
aNIMvdmMRadlQs+gpGf2iMVIMr51oU8jg6gkveSzZckTyahbCb9giYJ5wOll
0ZZADJrGhomMUMqsTCkMInOVtTdd2gZO+MdBXC+7mx/eSRaa3ETbLPdNDmBT
XvGcoYW+XVDgXv2Rs4ktWd2ygsWj6W3bqe4CkPGbfZH9MCX+SCtb+t+NcVVm
EiVs6pqGP39rIQ607kDk7Wrsyp4ItH/waIHiPba1X1B9aO6gXTDkRaa32ndz
KR7yF0yg75a0WbCbFuzTEdZcGUvpB8fjtdYEV118bhP8eMEW9Jz/sELrE4+O
FDRejF39IvbCjH7kg6hPARyUO64yLctAohmK7RZXNkdyQF9fSm2NsuPON8Du
PsdDspDYpB3nN1eMVu4rd5NQaYzP0HXD1wucguY3Xz4ZM0lhRCFyxgdAWaLF
l/XrJcam04iphm7WxrcU2LLW

--1563967779-489936818-1519692068=:2659--




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?nycvar.OFS.7.76.6.1802270037540.2659>