Closed yurivict closed 4 years ago
Hi @yurivict.
I'm afraid FreeBSD builds are not possible atm.
1) FETCH for external packages is required, because we cannot have every dependency replicated in our repository. A cache in $HOME is supported though, so only the first build attempt really needs downloads.
2) Beast now has a hard dependency on Electronjs, and AFAICS that is not (yet) available for FreeBSD. So that needs to be fixed first. Alternatively, maybe some future version of Firefox will again support a standalone browser engine that can be used as desktop app, but without a standalone modern browser engine, Beast cannot be brought to live.
3) realpath and find and other tools used in the Makefiles use GNU specific options atm, porting to a pure POSIX command/option set is only useful once (2) is solved (and involves significant work in some cases).
I think this is the Electronjs upstream bug that would have to be fixed first;
FETCH for external packages is required
All major packaging systems disallow fetch during build for security reasons, rpm/debian/bsd
Beast now has a hard dependency on Electronjs
NodeJS is hard-banned by all major packaging systems because NodeJS leads to insecure packages and they just don't package such software.
You made several design decisions that prevent most users from ever seeing your software because you are asking them to compile it by hand instead of installing it via a package. Compilation by hand is too hard for most users.
FETCH for external packages is required
All major packaging systems disallow fetch during build for security reasons, rpm/debian/bsd
As I wrote under (1) above, you could prefetch the downloaded 3rd party sources, and combined with the beast sources + Electron could build Beast offline.
Beast now has a hard dependency on Electronjs
NodeJS is hard-banned by all major packaging systems because NodeJS leads to insecure packages and they just don't package such software.
First, NodeJS doesn't lead to insecure software per se. Blindly installing npm deps can have that effect, yes, but that's not what the Beast build does. (And realistically, the same can happen with other language environments also.)
Second, Beast doesn't even need the NodeJS portion of Electron, just a modern web engine to display the UI, which is why I wrote that Firefox could take on this part in the future also.
Third, this is not the place to start a generic argument against use of Electron. If you care, https://electronjs.org/apps lists hundreds of apps that are based on Electron. It may take distributors some time - or years - to figure how and why they want to package Electron apps, but it will happen eventually due to user demand.
You made several design decisions that prevent most users from ever seeing your software because you are asking them to compile it by hand instead of installing it via a package. Compilation by hand is too hard for most users.
You're right that compilation is too hard for users. We don't advocate that users should compile Beast to get it working. Instead, we provide a pre-built AppImage, that works on Ubuntu and Fedora systems. Distributors/packagers are welcomed to build Beast for platforms beyond that, and that process is actually quite easy, as GNU-Make will tell you what dependencies are missing and you could even inspect the CI Docker images to understand how the build works.
Regarding the basic design choices that you talk about, we originally based Beast on Gtk+ and I invested heavily into that toolkit. As a result, ten years ago we had Debs, Rpms and earlier even BSD packages. The foundation wasn't good enough to keep up with feature requests and UI development demands though.
Changing that has allowed to move Beast into new and more interesting directions, and that at a previously unimaginable pace. For now, the focus is on reaching feature completeness for a 1.0 version, and once that's achieved we can possibly dial back on one or two aspects to ease packaging and integration. For FreeBSD specifically, a proper desktop application webengine is required first - the need of which is also recognized by other FreeBSD users as demonstrated in https://github.com/electron/electron/issues/3797
It may take distributors some time - or years - to figure how and why they want to package Electron apps, but it will happen eventually due to user demand.
Electron apps package NodeJS code. npm downloads NodeJS code directly from GitHub, typically from hundreds of individual GitHub accounts. This subjects users to the danger of some of these accounts to go rogue and deliver malware to them, since NodeJS technology doesn't have any safeguards against this and such unsafe behavior is done rather by its design, there's little chance that major packaging systems would adopt them. You can see that the Atom editor for example isn't packaged by Debian or any RPM packaging systems (https://repology.org/project/atom/versions). They can't subject their users to such dangers, and they shouldn't.
Perhaps Electron can be used w/out NodeJS, but it brands itself as ElectronJS, and your project too has the npm part in it.
Electron apps package NodeJS code.
Electron contains the google-chrome rendering engine libchromiumcontent, the google-chrome javascript engine V8 (sandboxed) and nodejs (a V8 based JS language environment, not sandboxed) in a single binary. That is similar to e.g. Firefox and and any language interpreter like Python or the JVM languages.
npm downloads NodeJS code directly from GitHub, typically from hundreds of individual GitHub accounts.
npm is a package manager and package repository for web applications and nodejs applications. packages are downloaded from npmjs.org. web applications are sandboxed like a website displayed in a browser. only nodejs applications and npm packages for nodejs could go rouge the way CPAN packages, PIP modules, JVM code, C, Go, Ruby, C++, Rust or shell code could after being downloaded. There is nothing special about npm here, other than it being used more widely, so its potentially a more attractive target. It has had dependency fallouts in the past, which is why procedures have been adapted now to prevent this in the future and make package name spoofing harder. Most Python, C, C++, etc code is hosted on Github these days btw, but whether Github is used for hosting or not is really not related.
This subjects users to the danger of some of these accounts to go rogue and deliver malware to them, since NodeJS technology doesn't have any safeguards against this and such unsafe behavior is done rather by its design, there's little chance that major packaging systems would adopt them.
I don't follow that argument, Electron has sandbox functionality, C, C++, Ruby, Python, Haskell, etc code that is pulled from Github and packaged doesn't.
Perhaps Electron can be used w/out NodeJS, but it brands itself as ElectronJS, and your project too has the npm part in it.
That is just not related. Most websites use npm packages and are used by billions of people, every day. Claiming that npm is bad or insecure or unusable or anything alike is just not credible. Regarding Beast, the package installation uses just one npm package, vue-2.6, and that comes with 0 dependencies. We used to also need jquery but could get rid of it. And I have probably studied more of the Vue code than I have studied the various C/C++ dependencies we pull in (those are pulled from Github btw).
@yurivict wrote:
This subjects users to the danger of some of these accounts to go rogue and deliver malware to them, since NodeJS technology doesn't have any safeguards against this
Related: Two malicious Python libraries caught stealing SSH and GPG keys
There is no point in picking on npm (nodejs) specifically when it comes to malicious code being introduced via dependencies. Whatever language / runtime environment you use, always check your dependencies closely and pay close attention to name spoofing / typosquatting.
there's little chance that major packaging systems would adopt them. You can see that the Atom editor for example isn't packaged by Debian
FYI, here is the Debian bug for packaging Electron: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842420
And here is the Wiki page tracking the progress: https://wiki.debian.org/Javascript/Nodejs/Tasks/electron
FYI, here is the Debian bug for packaging Electron: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842420
There's nothing wrong with Electron itself. It has been ported to FreeBSD and is long available in ports. The problem is that Electron is used as a Trojan Horse to drive NodeJS packages.
Whatever language / runtime environment you use, always check your dependencies closely and pay close attention to name spoofing / typosquatting.
No. Other projects have a more centralized nature with upstream devs having control over the content of used dependencies. In NodeJS npm just downloads the latest versions of hundreds/thousands of GitHub projects without anybody being able to even track what versions are used n particular cases. There is no easy way to freeze dependencies, to have reproducible builds, to fingerprint files, etc. This creates an ecosystem prone to security violations.
realpath
is called with wrong arguments.find
is called with an invalid option.md5
module doesn't exist in python.