Why is ${prefix}/var/macports/home not owned by the macports user?

Thu Dec 31 17:18:59 UTC 2020

> On 2020-12-31, at 10:49, Janosch Peters via macports-users <macports-users at lists.macports.org> wrote:
> 
> [1] https://github.com/Janosch/macports-ports/blob/new-port-macpass/security/MacPass/Portfile

Just some comments on the port:

Line 13 (name) is not necessary because github.setup sets the name (second argument).

Does the build {} step actually download deps with Carthage? (I am fairly certain it does). This should be avoided even if it is difficult. If Carthage is downloading dependencies, then a fully offline installation is impossible with this port (think of users who suddenly have poor network conditions who still have distfiles on their machine and need to reinstall). For Rust and Go ports, we set the Portfile to download everything in the fetch phase and then build a compatible environment. This allows offline installation and avoids potential security issues. I have a Portfile that does a similar thing for an Xcode project with submodules: https://github.com/Tatsh/ports/blob/master/aqua/Fanny/Portfile#L17

You can do that, or you can make a separate port for each dependency (or subports in your port to keep it all in one file). My mas port uses separate ports for dependencies and depends on Commandant, which would normally come via Carthage: https://github.com/Tatsh/ports/blob/master/sysutils/mas/Portfile, Commandant: https://github.com/Tatsh/ports/blob/master/devel/Commandant/Portfile

Probably should add to xcode.destroot.settings:

CODE_SIGN_IDENTITY=- CODE_SIGN_STYLE=Manual ENABLE_HARDENED_RUNTIME=NO

Last one is for future proofing in case the project decides to enable it, which it probably will. With the way xcodebuild runs it's not possible to build with that option because it requires signing.

The fetch.type git should be removed as you should set the submodules to be downloaded in the fetch phase (and remove post-fetch phase). See https://github.com/Tatsh/ports/blob/master/aqua/Fanny/Portfile#L17 for an example. Then in the pre-configure or some other phase (post-extract is probably most appropriate), move the other extracted contents to the appropriate place in the source.

The build {} with 'carthage bootstrap' should no longer be necessary once these changes are made. And your issue with the home directory not being writable would be resolved since you do not need to run the carthage command (and you can remove the dependency too).

Your comment about being able to switch to distfiles once a release is made is not correct if you are referring to submodules. Tarballs from GitHub do not come with submodules but instead just come with empty placeholder directories where the submodules would be.

Carthage is much more for development of an app and not for package managers to invoke.

--
Andrew