Given it doesn't look like this feature is going away, why don't we have the
MacPorts tool that saves the tarball on macports.org get the source and tar/zip
it up. The filename can include the SCM type, URL, revision/hash number to
ensure uniqueness. Then we won't be stuck when something like this happens.
Blair
On 10/22/11 7:29 AM, Landon J Fuller wrote:
The non-validated reproducibility of SCM-based fetching continues to grate on me years
after I added the cvs fetch type ... and then immediately told everyone to not actually
use it (it was provided for the KDE port maintainer's development use only, with big
comments in the portfiles saying "don't use this!").
That was a mistake of mine.
I'd propose the possibly unpopular opinion that SCM fetching should not be used
unless the fetched contents can be verified against maintainer-supplied hashes.
The downside of this policy seems low -- some software that *should* produce a
release anyway will require the maintainer to instead provide a proper archive
of the validated sources, or support would have to be added for hashing
SCM-provided files.
The upside is that the files are validated, it's hard for upstream (or the
maintainer) to slip in silent changes, and there's one less mechanism to be
used to MITM someone running 'port upgrade outdated'.
Otherwise, why are we bothering to supply hashes for the other software at all?
-landonf
On Oct 22, 2011, at 4:27 AM, Ryan Schmidt wrote:
On Oct 21, 2011, at 23:09, Michael Crawford wrote:
For any ports for which you fetch from version control rather than
downloading a tarball, I suggest that a cron job somewhere
periodically fetch the latest code from the upstream version control,
then make a tar backup.
That way if their version control completely disappears you still have
the source.
The main server already does fetch each port as it's committed, in order to
mirror the distfiles. It could perhaps be extended to tar up files fetched by
ports that fetch from version control.
Then again, if we implement #16373, maybe we get almost the same thing for free.
https://trac.macports.org/ticket/16373
_______________________________________________
macports-dev mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
_______________________________________________
macports-dev mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
--
Blair Zajac, Ph.D.
CTO, OrcaWare Technologies
<[email protected]>
Subversion training, consulting and support
http://www.orcaware.com/svn/
_______________________________________________
macports-dev mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
