Apache2 rev bump for OpenSSL update

Daniel J. Luke dluke at geeklair.net
Thu Mar 10 13:03:47 PST 2016


On Mar 10, 2016, at 3:36 PM, Ryan Schmidt <ryandesign at macports.org> wrote:
>>> but I'm not sure how to programmatically understand the coding style of a given portfile.
>> 
>> It's possible (we load and execute portfiles today).
>> 
>> It would probably be easier if portfiles more consistently kept to key/value style (or if we didn't use tcl as our parser).
> 
> I don't see how we could possibly change away from tcl at this point.

I guess I'm not making myself clear.

We currently parse portfiles. If we could take the parsed version and write it back out, we could reliably do something over many ports. The fact that we currently use tcl as the parser isn't entirely relevant (other than it being a bunch of work that no one is volunteering for to change that).

We could probably make things easier by setting up some (new) constraints on portfiles to make this easier. You're clearly in favor of the arbitrary expressiveness of the current way things work, though. I would favor doing everything we can to make the Portfile syntax more declarative in all but unusual cases.

> If we balk at manually examining 300 portfiles to see if they're already been revbumped for the openssl update, nobody is going to manually examine 10,000 portfiles to make them conform to a different parser.

As with everything we release, if it were implemented we would do a 'good enough' version and fix things that were broken as people found them (worse is better).

Do you have another idea to help automate this? Keeping track of metatdata about ports and the dependency tree is something that MacPorts should be able to do and we shouldn't have to expect every maintainer to do manually. 

>> distributing software that has known security bugs is a problem.
> 
> We'll have to agree to disagree.

:( tragedy of the commons.

> Most of the complexity comes from supporting more than one version. Supporting more than two versions is no more difficult.

If there were fewer versions, it might not be unduly-burdonsome to just have individual portfiles for each version (especially if it solved other problems). Of course, there may be some other approach to reducing portfile duplication that would leave more simple/structured portfiles that would be easy to mass-update (I haven't spent any time thinking about it).

-- 
Daniel J. Luke





More information about the macports-dev mailing list