[MacPorts] #61192: Lots of golang ports are downloading dependencies at build time

Thu Oct 1 00:53:06 UTC 2020

#61192: Lots of golang ports are downloading dependencies at build time
-------------------------------------------------+-------------------------
  Reporter:  amake                               |      Owner:  (none)
      Type:  defect                              |     Status:  new
  Priority:  Normal                              |  Milestone:
 Component:  ports                               |    Version:
Resolution:                                      |   Keywords:
      Port:  annie aws-vault certigo chezmoi     |
  cloudmonkey copilot croc elvish evans fzf      |
  gitqlite glow go-migrate golangci-lint gore    |
  gotop grpcurl hugo ipfs istioctl jenkins-cli   |
  k9s krew kubergrunt kustomize micro mole       |
  newreleases pulumi rclone scw staticcheck      |
  syncthing tektoncd-cli terragrunt trivy uni    |
  up webify wtfutil yq                           |
-------------------------------------------------+-------------------------

Comment (by amake):

 Replying to [comment:53 breun]:
 > I must admit I do not completely understand what the problem exactly is.

 There are two problems:

 1. Downloading dependencies outside of MacPorts' fetch mechanism prevents
 MacPorts from mirroring distfiles. That's bad for a number of reasons,
 such as: upstream could disappear, or we send a lot of traffic their way
 putting a strain on their infrastructure.
 2. Some build-time dependency fetching schemes lack a locking mechanism,
 so the exact version of the dependency used can differ depending on when
 exactly the build was performed. This is bad for reproducibility.

 > I am however very familiar with the Java ecosystem and the Maven build
 tool specifically and I'm used to build tools downloading dependencies at
 build time (when not previously downloaded and locally cached).

 Sure, that's fine and good, but suboptimal for a MacPorts port.

 > Maven uses Maven repositories to download dependencies, which support
 hashes and signatures, etc. Is the problem that Go builds download
 dependencies without any checks? If not, what is the problem exactly?

 No, Maven is also problematic for (1) above. For (2), Maven does allow
 version ranges but they are not used that often in my experience, so
 that's good. But in my experience it also doesn't provide a lockfile-like
 mechanism that would ensure that dependencies can't be silently replaced
 upstream.

 Are there ports building with Maven that are downloading their
 dependencies at build time? If so, I guess the main reason they have been
 given a pass in the past is, as I understand it:

 a. Until recently there was no Java port, and Java could not be assumed to
 be available, so we basically didn't build any Java ports from source;
 they have mostly been grabbing pre-compiled (JAR) distfiles
 b. No one was paying attention

-- 
Ticket URL: <https://trac.macports.org/ticket/61192#comment:55>
MacPorts <https://www.macports.org/>
Ports system for macOS