[MacPorts] #70472: 'port fetch outdated' upgrades ports

Fri Aug 2 06:48:09 UTC 2024

#70472: 'port fetch outdated' upgrades ports
--------------------------+--------------------
  Reporter:  Lord-Kamina  |      Owner:  (none)
      Type:  defect       |     Status:  new
  Priority:  Normal       |  Milestone:
 Component:  base         |    Version:  2.9.3
Resolution:               |   Keywords:
      Port:               |
--------------------------+--------------------
Changes (by ryandesign):

 * keywords:  port fetch outdated =>
 * cc: essandess (added)

Comment:

 The lines in the log beginning with `--->` are:

 {{{
 --->  Computing dependencies for aom
 --->  Computing dependencies for libksba
 --->  Fetching distfiles for libksba
 --->  Verifying checksums for libksba
 --->  Checksumming libksba-1.6.7.tar.bz2
 --->  Extracting libksba
 --->  Extracting libksba-1.6.7.tar.bz2
 --->  Configuring libksba
 }}}

 This made me think that it decided that libksba was in the fetch
 dependency chain of aom. But the only fetch dependency the aom port has is
 `bin:git:git`. That should have been satisfied by the `git` already
 included with macOS; no port dependencies should have needed to be checked
 or upgraded. And if for some reason it did decide to check the git port
 and its dependencies, libksba is not in the recursive dependencies of
 git—at least not with default variants. So in fact the message "Computing
 dependencies for aom" is not the whole truth. Yes, it did compute aom's
 dependencies, finished dealing with aom, and moved on to other ports
 without telling us. That feels like a bug.

 Ultimately it looks like libksba is being upgraded because gnupg2 depends
 on it, and your ghc port is outdated, and ghc has a fetch dependency on
 the gnupg2 port because it uses the [browser:macports-
 ports/_resources/port1.0/group/gpg_verify-1.0.tcl gpg_verify portgroup].

 It seems like the gpg_verify portgroup shouldn't need to declare gnupg2 as
 a fetch dependency. It does not use gnupg2 at fetch time. It offers a
 `gpg_verify.verify_gpg_signature` procedure which ports can call to verify
 a GPG signature. The ghc port calls this in a post-checksum block.
 MacPorts doesn't have checksum-specific dependencies; the dependency type
 that precedes the checksum phase most closely is fetch. But there's no
 particular reason why signature verification needs to happen in post-
 checksum. It could just as easily happen in pre-extract so that gnupg2
 could become an extract dependency instead.

 It seems like a design flaw of the gpg_verify portgroup to leave the
 decision of when to run `gpg_verify.verify_gpg_signature` up to the port.
 The portgroup should be the one to dictate that it happens at pre-extract
 time.

-- 
Ticket URL: <https://trac.macports.org/ticket/70472#comment:2>
MacPorts <https://www.macports.org/>
Ports system for macOS