You are not logged in.
This is a minimal PKGBUILD to demonstrate the issue:
pkgname=fakepkg
pkgver=0.0
pkgrel=1
pkgdesc='Not a real package'
arch=('any')
makedepends=('npm')
package() {
npm install -g --prefix "$pkgdir/usr" vectra@0.2.2
}
Run `makepkg`, then run `namcap *.zst`. You should get the following error:
fakepkg E: File (usr/lib/node_modules/vectra/bin/vectra.js) is owned by furrykef:furrykef
Obviously, the offending uid and gid will be different, but the message should otherwise be the same. Several files will be packaged, but only this one file in the package will have the problem. I have no idea why.
Not every package installed by npm has this issue. In fact, most don't. But there are nonetheless others that do, such as wavefile@11.0.0. I ran into the issue while trying to package a program that happens to have vectra and wavefile as dependencies (specified via the program's package.json rather than in the PKGBUILD like this).
You can work around the issue by chowning everything in "$pkgdir/usr/lib/node_modules" to root:root after running npm, but this step is easily missed and shouldn't be necessary.
Offline
I'm surprised this has no replies yet. It could potentially be a sign of a serious security issue. Something appears to be wrong with one of makepkg, fakeroot, or npm, because this shouldn't be happening, and when it happens, the affected files can be overwritten by any program.
Last edited by furrykef (Yesterday 19:03:13)
Offline
As you didn't give a working, reproducible example, meh.
Offline
What do you mean? You followed the steps I provided and didn't reproduce the error? What's the namcap output?
Offline
Have you tried using the source tarball specifically as mentioned in Nodejs package guidelines?
For example (only relevant arrays and functions):
pkgname=nodejs-vectra
_pkgname=${pkgname#nodejs-}
pkgver=2.2
package() {
npm install -g --prefix "${pkgdir}/usr" "${srcdir}/${_pkgname}-${pkgver}.tgz"
}
Offline