Re: Guidance on creating a port for an npm installed tool

From: Moin Rahman <>
Date: Fri, 09 Jun 2023 18:41:20 UTC

> On Jun 9, 2023, at 8:22 PM, Patrick M. Hausen <> wrote:
> Hi,
>> Am 09.06.2023 um 20:15 schrieb Moin Rahman <>:
>> There is no specific guidelines but so far what have been most useful
>> is you install the package and then install the npm deps. After that
>> create a tarball of the npm deps installed and add it as a DISTFILE.
> So I create my own binary archive from the result of "npm install" or
> "npm run setup" or similar?
> That does not feel right. How will the user know that my tar archive
> is authentic?
I don't know whether if you are a committer or not. But once you submit
a patch it will be the committer's duty to check the size and SHA and
that there are not nothing malicious. The users have to trust something
and in FreeBSD world they trust the committer. And if a committer violates
the rules there are consequences for them.

>> One another approach is just install the dist with node as a RUN_DEPEND
>> and ask user to install it through a pkg-message.
> Neither does this. So the state of npm based installation is that is
> in a mess? I'm not blaming FreeBSD or the ports system here :-)
> What a way to distribute software.
> Your second suggestion is btw out of the question because we
> build packages in poudriere and from these build immutable
> read-only base images for our jails.
I think this is also possible with poudriere jail hooks. But not sure because
it depends on the way you are creating the jail images.

Kind regards,

> *sigh*
> Thanks for your insight.
> Patrick
> -- 
> GmbH
> Patrick M. Hausen
> .infrastructure
> Sophienstr. 187
> 76185 Karlsruhe
> Tel. +49 721 9109500
> AG Mannheim 108285
> Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein