[144262] trunk/dports/lang/py-htmldocs/Portfile

[Daniel J. Luke]

On Jan 6, 2016, at 6:44 PM, Ryan Schmidt <ryandesign at macports.org> wrote:
> An SSL certificate does not guarantee the user is getting the same files the maintainer did. It only guarantees the user is talking to the same server.

it's not even that strong of a guarantee (especially since the recommendation here was seemingly to just verify that the certificate is 'valid').

> One solution is to let the MacPorts distfiles mirror mirror the file, then switch the portfile to only look at the distfiles mirror, not the original server. This would need to be done every time you update the port.

Can we make it easier for maintainers to add files to the mirrors? When we used to put files into subversion, it was easy for any maintainer to avoid this problem by just checking in a snapshot. While it's undesirable to go back to that (storing lots of binaries in our svn repo isn't a great idea), being able to upload a snapshot again would be welcome.

It would fix this and to some extent also make it less 'necessary' for people to have ports fetching from source control systems (giving everyone the benefit of having the files mirrored and cacheable).

> The ideal would be to work with the developers to convince them not to issue stealth updates.

+1 for this as well.

-- 
Daniel J. Luke                                                                   
+========================================================+ 
| *---------------- dluke at geeklair.net ----------------* |                          
| *-------------- http://www.geeklair.net -------------* |                          
+========================================================+ 
|   Opinions expressed are mine and do not necessarily   |                          
|          reflect the opinions of my employer.          |                          
+========================================================+