"cask" ports just keep on rolling in...
Clemens Lang
cal at macports.org
Sun Feb 7 11:17:47 UTC 2021
Hi Ken,
On Sat, Feb 06, 2021 at 11:35:58PM -0800, Ken Cunningham wrote:
> although I was concerned about getting this pattern right before we
> had too many of these to fix, it does seem the admins feel there's
> really no issue to worry about here.
I don't like this tone, Ken. "The admins" have as much obligation to
provide infrastructure as anybody else in this project, which is none.
If you feel repackaging binary archives is a thing MacPorts should
support better, please invest the time to come up with patches that do
this, or find somebody that will.
> So I guess we just open the gate and let them in. There is no
> recommendation for a requirement for a naming convention or other
> identifier.
Personally, I don't like this trend at all. It always used to be
MacPorts' policy to compile from source except in cases where Apple's
limitations made this impossible (e.g. because valid signatures with a
developer certificate were required and an ad-hoc signature would not
work).
Now, we're apparently shipping binaries compiled by other people with
other people's toolchains. When I previously installed things from
MacPorts, I knew that I'd either compile those with my own toolchain
locally, or that they had been compiled on MacPorts' buildbots.
Repackaging binaries breaks that assumption and adds additional trusted
third parties. If such parties were infiltrated by supply chain attacks
such as Xcode Ghost, we'd now ship malware via 'port install'.
I do know that we have recently started making more and more exceptions
to this rule, e.g. for Java and Haskell, and I'm guilty of preferring
these approaches to a broken build of a very outdated version, but I'd
like to argue that we should keep asking ourselves the question "should
we really trust this person's toolchain" before merging such ports and
keep pushing for builds from source where those are feasible.
Also, keep in mind that some licenses (GPL, LGPL) require us to ship the
source code that was used to compile a certain binary. Our distfiles
server does that automatically for everything that's compiled from
source, but repackaging a binary that contains compiled GPL or LGPL code
puts us in legal muddy water very quickly.
--
Clemens
More information about the macports-dev
mailing list