Fetching remote content
Joshua Root
jmr at macports.org
Tue Jul 1 21:22:41 UTC 2025
On 2/7/2025 02:15, Dave Allured - NOAA Affiliate wrote:
>
>
> On Mon, Jun 30, 2025 at 1:48 PM Joshua Root <jmr at macports.org
> <mailto:jmr at macports.org>> wrote:
>
> On 1/7/2025 01:01, Dave Allured - NOAA Affiliate via macports-dev wrote:
> > Build systems may include features to fetch arbitrary remote code
> > outside of normal MacPorts controls. An example is FetchContent in
> > CMake. This can result in unexpected dependency versions and other
> > surprises.
> >
> > What are MacPorts guidelines for allowing or blocking remote
> fetching?
> > I could not find an established policy. Should there be one?
>
> "Don't fetch anything outside the fetch phase if at all possible."
>
> We don't disallow it entirely because there are (unfortunately) some
> build systems that will not work that way. I don't know how distros
> like
> FreeBSD that do completely disallow such behaviour deal with those
> build
> systems.
>
>
> Well put. I fully agree with this conservative approach. Thank you
> for confirming.
BTW, the aforementioned "other surprises" include breaking offline
builds and making it impossible for us to mirror all sources. The latter
can go beyond causing fetch issues as it can actually be a license
violation in some cases if we distribute binaries.
We have a global sandbox_network setting that is off by default due to
the potential for breakage. Maybe we should look at changing the default
to on and allow overriding it via a Portfile option, so we would at
least know which ports are badly behaved.
- Josh
More information about the macports-dev
mailing list