The future of the Golang Portgroup ― what to do with offline builds?

Kirill A. Korinsky kirill at
Fri Feb 16 14:58:44 UTC 2024

On Fri, 16 Feb 2024 10:24:59 +0100,
Nils Breunese wrote:
> Allowing ports to download dependencies at build time carries the risk of
> those dependencies not being available at build time, which I guess is why
> MacPorts is not a fan of this method. In a corporate setting this is typically
> mitigated by using an in-house repository manager (e.g. Artifactory or Nexus),
> which caches these dependency artifacts. This is kind of similar to MacPorts
> servers storing files, but a repository manager provides interfaces that can
> be directly used by build tools to fetch dependencies, so if we’d have a
> MacPorts repository manager a port developer (or even better: port group)
> could configure a Maven/Gradle/NPM/Yarn/whatever port to use the MacPorts
> repository manager, and then port build should no longer depend on publicly
> available dependencies after the initial build.

Let switch to another and usually missed aspect of automatic downloading
dependency from interten to build a software: security.

For example Maven as the most popular Java build system doesn't care about
checksums for dependency.

It ultimatley trust used repository and when it builds software it can inject
any unexpected code.

From another side, MacPorts enforces checksuming of dependency that garantue
that it is the same artifact that was used before.

wbr, Kirill

More information about the macports-dev mailing list