Re: Acceptability of depends_build bin:…

[Christopher Jones]

> On 13 Dec 2021, at 10:48 am, Christopher Chavez <chrischavez at gmx.us> wrote:
> 
> I recently specified bin:node:… build dependency in qt5-qtwebengine. I would not consider Node.js to be a lightweight dependency, so I thought it would be preferable to allow using whichever is present, even a non-MacPorts one, before having to install a fallback; and because I had not investigated whether the build process would always respect a path:… or port:… dependency.
> 
> It has now been requested that bin:node:… not be used, in light of this comment: https://github.com/macports/macports-ports/commit/afad77a86ba6be6572cf0aff35db0b13401196f1#commitcomment-61791005
> 
> 
>> A `bin:`-style dependency allows any binary in the path, even in locations outside of MacPorts, to satisfy a dependency, which is not usually desired.
> 
> 
> While I’m somewhat aware why bin:… dependencies are particularly undesirable for library or runtime dependencies, how strongly does the recommendation to avoid them apply to dependencies only used during build? Are they to still be avoided as much as possible, regardless of how heavy the dependencies are or whether one believes allowing third-party dependencies would not cause any significant difference in the built port (w.r.t. build reproducibility) nor pose a risk of build failure?

In my opinion yes, they should be avoided. Just because it is a build dep. doesn’t make a difference, as we want reproducible builds, which means having control over the whole process, and allowing whatever is found in 'bin’ to satisfy a dependency breaks this.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1930 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20211213/f59281c6/attachment.bin>