"cask" ports just keep on rolling in...

[Clemens Lang]

Hi Ken,

On Sun, Feb 07, 2021 at 07:59:39AM -0800, Ken Cunningham wrote:
> > Now, we're apparently shipping binaries compiled by other people
> > with other people's toolchains. When I previously installed things
> > from MacPorts, I knew that I'd either compile those with my own
> > toolchain locally, or that they had been compiled on MacPorts'
> > buildbots. Repackaging binaries breaks that assumption and adds
> > additional trusted third parties. If such parties were infiltrated
> > by supply chain attacks such as Xcode Ghost, we'd now ship malware
> > via 'port install'.
> 
> Now that the reality of what this really means comes to the fore,
> people are starting the be more vocal about their thoughts on it. This
> is good. These ports have been coming in, with no plan so far.

I simply haven't followed the other thread. There are about a hundred
messages in there, and as you surely have noticed, I no longer have the
time to contribute as much and/or read such long threads :/


> So new policy coming then?
> 
> As I stated at the very beginning months ago, with no plan or
> guidance, these just keep coming in. I am not championing this, but
> raising the flag here that there is a potential problem.
> 
> If it took a slightly more obvious message about what this really
> meant to get everyone to notice, I guess I accept that.

I think we should document a proposal somewhere in the wiki, invite for
comments, and then once a consensus is reached, that becomes our policy.

MacPorts has usually made such decisions by consensus rather than
benevolent dictatorship. I recall only one instance in our history where
we have strayed from this path, and that was the migration to GitHub,
which was planned and prototyped by a smaller group of people before it
was announced. We've never had a formal process to make such policy
decisions, but maybe it is time do introduce one by example now.

Ken, you're obviously aware of the potential issues with shipping
binaries. Would you find the time to write a proposal policy of how
MacPorts should handle this and ask for comments?

I personally see three potential alternatives:

(a) don't accept binary ports except for the cases where Apple's signing
requirements or the buildsystem complexity do not allow us to build our
own.

(b) accept binary ports in the main tree with a clear naming scheme
(unfortunately I don't think the variant proposal is enough, it's simply
not obvious enough what you're getting and that you're trusting
additional third parties by installing those)

(c) create a separate tree that contains binaries and require users that
want those to add said tree to sources.conf (potentially with some
usability improvements like providing a command to automatically do
that).


The last proposal might require some work on base and potentially the
CI, but I think it could be done with limited effort. My personal
preference is a > c > b, but since I'm no longer that involved in
MacPorts development that's a decision I'd leave to the people that are
more active contributors.


HTH,
-- 
Clemens