Archives and Packages (was Re: Universal and binary builds)

Sat Mar 28 05:21:47 PDT 2009

Jordan K. Hubbard wrote:

> It would be nice[er] IMO if a solution could be devised which makes  
> "port install foo" and "pkg install file:///foo.xar" lead to  
> exactly the same place.  Well, to be even more precise, it would be  
> nicer still if "port install foo" simply became a wrapper around  
> "port package foo -o /var/tmp/<somewhere>/foo.pkg && pkg install  
> file:///var/tmp/<somewhere>/foo.pkg && rm -f /var/tmp/<somewhere>/ 
> foo.pkg" so that the base MacPorts infrastructure could just get  
> out of the business of directly installing bits on the system.

This would still require someone to choose/write the "pkg" program,
and then make all invocations of "install" go through this layer...

And both using the RPM package manager and writing a new one was tried
(with "dp_light" and "xpkg"), neither solution has been very popular ?

The simplistic alternative here was to continue with the old archives,
and just enable "archivemode" to create them before any installation.

Then "port install" can be patched to recognize archive urls too,
and to extract the Portfile from within the archive before install.

This would look something like this, when it's been implemented:
$ sudo port install /path/to/zip-2.32_0.i386.tgz
--->  Computing dependencies for zip
--->  Unpacking tgz archive for zip 2.32_0
--->  Installing zip @2.32_0
--->  Activating zip @2.32_0

This would install the version from the +PORTFILE in the archive,
and not the "zip @3.00_0" that e.g. "port install zip" would...

There's also the remote archives from old Ticket #8571 that would
automatically construct a binary URL from the ${portarchivebinhost}

Something like:
1) use local archive from /opt/local/var/macports/packages
2) try downloading an archive (checking the GPG signature)
3) build a new archive from the Portfile/files/distfiles

That would use the normal MacPorts registry for finding the version
to install though (and also allow falling back to source if missing)

Signatures would be kept in a *.tgz.asc file, next to the archive.
There could even be an option to create such from "port archive" ?

So in all of the above, it would only use archives that are trusted.
Either by having been built locally, or by trusting the signing key.

This is similar to the "package format" that Slackware Linux uses.
Has a couple of shortcomings, but at least it is simple enough...

--anders