livecheck and curl 8.7.1

Fred Wright fw at fwright.net
Sun Apr 21 03:11:56 UTC 2024 


On Fri, 19 Apr 2024, René J.V. Bertin wrote:

> On Friday April 19 2024 22:10:40 Kirill A.  Korinsky wrote:
>
>> Because MacPorts download distfiles and packages from HTTP, not HTTPS
>> because it contains checksums for that it downloads :)
>
> Nope. Maybe for distfiles that are hosted on the own servers, but the past few years more and more ports have had their `master_sites` converted to https URLs.
>
> (With good reason: pure http sites are disappearing little by little.)
>
> A random bit of proof:
>
> DEBUG: fetch phase started at Fri Apr 19 23:04:39 CEST 2024
> --->  Fetching distfiles for pulseaudio
> DEBUG: Executing org.macports.fetch (pulseaudio)
> --->  pulseaudio-17.0.tar.xz does not exist in /opt/local/var/macports/distfiles/pulseaudio
> --->  Attempting to fetch pulseaudio-17.0.tar.xz from https://www.freedesktop.org/software/pulseaudio/releases/
>  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                                 Dload  Upload   Total   Spent    Left  Speed
> 100 1529k  100 1529k    0     0   977k      0  0:00:01  0:00:01 --:--:--  977k

That "proof" is completely (well, almost) irrelevant for end users.  It 
matters for port developers, but once a port is "published", its distfiles 
are copied to the MacPorts mirrors, where they can be fetched by the 
system curl on any OS.

The "almost" is because the primary distfile source is still included as a 
candidate for fetching, and in some cases may be chosen ahead of the 
mirrors.  In the non-working curl case, this at the very least adds delay, 
but there was a case a couple of years ago where MacPorts decided to 
prefer python.org to the mirrors (at my location), and the fetch (on 10.9) 
would hang in a way that wasn't subject to a timeout, so it never gave up 
and never moved on to the mirrors.  The response when I reported this was 
"gee, it's supposed to have timeouts".  I don't know exactly what got 
fixed, but I haven't seen this lately.

Livecheck is completely different, since there's no mirroring of the 
content that livecheck is looking at.

Fred Wright

More information about the macports-dev mailing list