Fetching from version control (was: SSHKeychain site is dead)

Joshua Root jmr at macports.org
Sat Oct 22 08:48:20 PDT 2011 

It would be good to have a web interface or similar mechanism by which
maintainers could upload directly to distfiles.macports.org. I remember
discussing this with Bill on IRC quite a while ago. I'm not sure if it's
on his todo list currently or how far down if it is. The idea might have
been for it to be part of MPWA.

Anyway, if we had this functionality, it wouldn't be inconceivable to
extend it to be able to take a VCS URL, export a tarball onto the
distfiles server, and show the checksums. That would really take away
any excuse of it being inconvenient to manually generate and host a
tarball for each release.

In the meantime, I would tend to agree that VCS fetching should be
avoided, with the possible exception of frequently updated -devel ports.

- Josh

On 2011-10-23 01:29 , Landon J Fuller wrote:
> The non-validated reproducibility of SCM-based fetching continues to grate on me years after I added the cvs fetch type ... and then immediately told everyone to not actually use it (it was provided for the KDE port maintainer's development use only, with big comments in the portfiles saying "don't use this!").
> 
> That was a mistake of mine.
> 
> I'd propose the possibly unpopular opinion that SCM fetching should not be used unless the fetched contents can be verified against maintainer-supplied hashes. The downside of this policy seems low -- some software that *should* produce a release anyway will require the maintainer to instead provide a proper archive of the validated sources, or support would have to be added for hashing SCM-provided files.
> 
> The upside is that the files are validated, it's hard for upstream (or the maintainer) to slip in silent changes, and there's one less mechanism to be used to MITM someone running 'port upgrade outdated'.
> 
> Otherwise, why are we bothering to supply hashes for the other software at all?
> 
> -landonf
> 
> On Oct 22, 2011, at 4:27 AM, Ryan Schmidt wrote:
> 
>>
>> On Oct 21, 2011, at 23:09, Michael Crawford wrote:
>>
>>> For any ports for which you fetch from version control rather than
>>> downloading a tarball, I suggest that a cron job somewhere
>>> periodically fetch the latest code from the upstream version control,
>>> then make a tar backup.
>>>
>>> That way if their version control completely disappears you still have
>>> the source.
>>
>> The main server already does fetch each port as it's committed, in order to mirror the distfiles. It could perhaps be extended to tar up files fetched by ports that fetch from version control.
>>
>> Then again, if we implement #16373, maybe we get almost the same thing for free.
>>
>> https://trac.macports.org/ticket/16373

More information about the macports-dev mailing list