packaging a port that uses npm during build.
Willem Jan Withagen
wjw at digiware.nl
Wed Oct 30 20:17:07 UTC 2019
On 30-10-2019 18:12, Yuri wrote:
> On 2019-10-28 04:17, Willem Jan Withagen wrote:
>>
>> I think I read once somewhere that there is also a "flag" that
>> indicates that the port wants network access during the build. Is
>> that feasible?
>
>
> No, this isn't/shouldn't be possible.
>
>
> Please look at how misc/netron is done. It pre-packages NPM modules
> into a separate distfile.
>
>
> CAVEAT: Please keep in mind that NodeJS downloads JS files from a
> multitude of GitHub locations, which makes this technology
> fundamentally insecure because any malicious or otherwise harmful
> change in any of the hundreds of projects would be automatically
> propagated into the FreeBSD package and further to the users. For this
> reason NodeJS software is less secure and for example RPM and Debian
> packages often (or always) just don't include such software into their
> distributions.
>
>
> misc/netron only has a few js files installed so it is okay. You can
> also do the same with more complex projects, with the above caveat.
Yes,
I know, ans sympatise with your concerns. But then this is a port
and I don't make the rules in the project.
I'll take a look.
But my project includes about a npm 62 toplevel packages. :-(
and many more getting installed as extra dependancies.
So that is not really an option.
More information about the freebsd-ports
mailing list