Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Odd permissions in the package tar.gz file as published to NPM #52

Closed
danfuzz opened this issue Feb 28, 2012 · 8 comments
Closed

Odd permissions in the package tar.gz file as published to NPM #52

danfuzz opened this issue Feb 28, 2012 · 8 comments

Comments

@danfuzz
Copy link

danfuzz commented Feb 28, 2012

Sometime between node-0.6.8 and node-0.6.11, the way NPM untars package files seems to have changed, and I believe this has revealed a latent problem with Hogan's package tar.gz file as published to the NPM registry.

In particular, none of the directories in the archive seem to have the execute permission flag set, which means that, once unpacked, it is impossible to actually read their contents (without altering the permission flags). This didn't bug the old NPM, but the current one will complain when attempting to install Hogan, along these lines:

npm ERR! path /tmp/npm-1330464275415/1330464275783-0.16246374556794763/___package.npm/package/bin/hulk
npm ERR! code EACCES
npm ERR! message EACCES, permission denied '/tmp/npm-1330464275415/1330464275783-0.16246374556794763/___package.npm/package/bin/hulk'

If you download, untar, and inspect the package file, you can see what's up:

$ curl -k -o hogan.tar.gz https://registry.npmjs.org/hogan/-/hogan-1.0.5-dev.tgz
[...]
$ tar xzf hogan.tar.gz 
$ ls -alF package/
total 64
drwxrwxr-x 8 ec2-user ec2-user  4096 Feb 28 21:32 ./
drwxr-xr-x 9 ec2-user ec2-user  4096 Feb 28 21:32 ../
drw-rw-r-- 2 ec2-user ec2-user  4096 Jan 28 21:44 bin/
-rw-rw-r-- 1 ec2-user ec2-user    14 Jan 28 21:44 .git_ignore
-rw-rw-r-- 1 ec2-user ec2-user    89 Jan 28 21:44 .gitmodules
drw-rw-r-- 2 ec2-user ec2-user  4096 Jan 28 21:44 lib/
-rw-rw-r-- 1 ec2-user ec2-user 10349 Jan 28 21:44 LICENSE
-rw-rw-r-- 1 ec2-user ec2-user  1324 Jan 28 21:44 Makefile
-rw-rw-r-- 1 ec2-user ec2-user   558 Jan 28 21:44 package.json
-rw-rw-r-- 1 ec2-user ec2-user  2607 Jan 28 21:44 README.md
drw-rw-r-- 4 ec2-user ec2-user  4096 Jan 28 21:44 test/
drw-rw-r-- 2 ec2-user ec2-user  4096 Jan 28 21:44 tools/
drw-rw-r-- 6 ec2-user ec2-user  4096 Jan 28 21:44 web/
drw-rw-r-- 2 ec2-user ec2-user  4096 Jan 28 21:44 wrappers/
$

I'd expect all the directories to show up as drwxrwxr-x, which is what you'll see in pretty much every other NPM package (or tarball in general for that matter).
@danfuzz
Copy link
Author

danfuzz commented Feb 28, 2012

See also Tar module issue #7.

@nponeccop
Copy link

+1 for this issue. I see this too. cannot install hogan by npm-install :(

@paulmillr
Copy link

@9len @BenWard @DanaDanger ping.

This one is critical — folks (and me) cannot even use hogan.

@thejohnfreeman
Copy link

Is this going to be fixed? Seems pretty straightforward.

@sayrer
Copy link
Collaborator

sayrer commented Mar 15, 2012

Should be fixed as of Hogan 2.0.0 on March 13

@sayrer sayrer closed this as completed Mar 15, 2012
@nponeccop
Copy link

But hogan 2.0.0 is not on NPM yet - only hogan-1.0.5-dev is there, so I vote for reopening.

@sayrer
Copy link
Collaborator

sayrer commented Mar 15, 2012

http://search.npmjs.org/#/hogan.js shows 2.0.0 for me

@nponeccop
Copy link

Oh, there are 2 packages: hogan and hogan.js. Are they different?

http://search.npmjs.org/#/hogan shows 1.0.5-dev.

@danfuzz danfuzz mentioned this issue Mar 9, 2012
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sayrer @nponeccop @paulmillr @danfuzz @thejohnfreeman