librsvg, and what MacPorts is for

Tue Oct 10 22:09:44 UTC 2023

>
> That said, I presume there's a strong overall consensus that on current
> hardware, we run the current (supported) versions of software, and that
> older operating systems and hardware are supported only on a "if it doesn't
> hurt anything" basis.
>

I'm not sure this is 100% accurate, either. I think it's pretty much up to
the maintainers of each individual port, but I know that at least for me,
since I have some hardware that, for example, can't be upgraded beyond
10.11, I tend to maintain my ports using a "try our very best to make the
current version of the software work on older macOSes" mentality (hence the
existence of things like the legacysupport PortGroup). In some cases, that
may mean making a version-numbered subport of an older release that still
works on an older macOS, like what we have had to do with MoltenVK.

Is this potentially a risk when there are security patches that only work
on newer macOSes? Yes, but using an older version of macOS in and of itself
can be considered a security risk, so I think it's up to the user to make
the decision whether to run an out-of-date version of some piece of
software that is still being made available through MacPorts.

-- 
Jason Liu

On Tue, Oct 10, 2023 at 3:26 PM Perry E. Metzger <perry at piermont.com> wrote:

> And Mascguy didn't seem to care to explain the situation, which I clearly
> didn't understand. Okay, That makes more sense and is acceptable.
>
> That said, I presume there's a strong overall consensus that on current
> hardware, we run the current (supported) versions of software, and that
> older operating systems and hardware are supported only on a "if it doesn't
> hurt anything" basis.
>
> Perry
>
>
> On 10/10/23 14:08, Gregorio Litenstein wrote:
>
> In general terms I (who am absolutely nobody) agree with you, but there's
> one thing I believe you're not taking into account and it's that this is a
> fallback version for users with ancient hardware.
>
> The main `librsvg` port is currently at `2.56.3`, which was released two
> months ago
>
> @Chris, I belive OP didn't realize it's not the main port.
>
>
> Gregorio Litenstein Goldzweig [image: glit_qr_4.png]
> Médico Cirujano
>
>
>    - Fono: +56 9 96343643
>    - E-Mail: g.litenstein at gmail.com
>
>
> On 10 Oct 2023 15:07 -0300, Chris Jones <jonesc at hep.phy.cam.ac.uk>
> <jonesc at hep.phy.cam.ac.uk>, wrote:
>
> Hi,
>
> I am not sure what you are complaining about. Version 2.56.3, whilst not
> the absolute latest version a pretty up to date rust based version, is
> already used on Darwin 10 and newer. Your mail below seems to imply the old
> C version is used everywhere, which just isn't the case. What am I missing
> here ?
>
> Chris
>
> On 10 Oct 2023, at 6:48 pm, Perry E. Metzger <perry at piermont.com>
> <perry at piermont.com> wrote:
>
> See the following thread:
> https://github.com/macports/macports-ports/pull/20744 — but to summarize,
> Mascguy does not want to update librsvg to a safe / modern one because
> ancient versions of MacOS can't support Rust.
>
> So I don't want to be a pain in the neck, but I have little interest in
> MacPorts if the point is to preserve compatibility with MacOS 10.5 at the
> expense of having the thousands of users of current Macs and current MacOS
> have a dangerously insecure version of a basic SVG graphics library that
> other things depend on.
>
> (The upstream librsvg maintainers have washed their hands of the old C
> version and don't support it any more, and for good reason. The Rust
> version of the library provides a far more secure codebase.)
>
> I don't know how other people feel here, but I don't work on MacPorts
> because I like retrocomputing, but rather because I want to use Unix tools
> on my modern Macs.
>
> If we're all on the same page that the priority is current MacOS users,
> then we need to make sure that policy is well understood by all and we need
> to update ports that are being held back for the benefit of people using an
> OS from 2007.
>
> If the consensus is that we prioritize ancient versions of MacOS with
> three users (or sometimes none) over the experience the bulk of the users
> have, that's fine, and I'll accept it, but then I'm switching to Brew, and
> I will advise others to do the same, and will explain that current versions
> of MacPorts cannot be trusted to have safe software because the people
> involved prioritize support for ancient versions of the operating system.
>
> I will accept whatever the consensus is.
>
> Perry
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20231010/9c3b6c34/attachment.htm>