> On 2020-12-31, at 10:49, Janosch Peters via macports-users
> <[email protected]> wrote:
>
> [1]
> https://github.com/Janosch/macports-ports/blob/new-port-macpass/security/MacPass/Portfile
Just some comments on the port:
Line 13 (name) is not necessary because github.setup sets the name (second
argument).
Does the build {} step actually download deps with Carthage? (I am fairly
certain it does). This should be avoided even if it is difficult. If Carthage
is downloading dependencies, then a fully offline installation is impossible
with this port (think of users who suddenly have poor network conditions who
still have distfiles on their machine and need to reinstall). For Rust and Go
ports, we set the Portfile to download everything in the fetch phase and then
build a compatible environment. This allows offline installation and avoids
potential security issues. I have a Portfile that does a similar thing for an
Xcode project with submodules:
https://github.com/Tatsh/ports/blob/master/aqua/Fanny/Portfile#L17
You can do that, or you can make a separate port for each dependency (or
subports in your port to keep it all in one file). My mas port uses separate
ports for dependencies and depends on Commandant, which would normally come via
Carthage: https://github.com/Tatsh/ports/blob/master/sysutils/mas/Portfile,
Commandant: https://github.com/Tatsh/ports/blob/master/devel/Commandant/Portfile
Probably should add to xcode.destroot.settings:
CODE_SIGN_IDENTITY=- CODE_SIGN_STYLE=Manual ENABLE_HARDENED_RUNTIME=NO
Last one is for future proofing in case the project decides to enable it, which
it probably will. With the way xcodebuild runs it's not possible to build with
that option because it requires signing.
The fetch.type git should be removed as you should set the submodules to be
downloaded in the fetch phase (and remove post-fetch phase). See
https://github.com/Tatsh/ports/blob/master/aqua/Fanny/Portfile#L17 for an
example. Then in the pre-configure or some other phase (post-extract is
probably most appropriate), move the other extracted contents to the
appropriate place in the source.
The build {} with 'carthage bootstrap' should no longer be necessary once these
changes are made. And your issue with the home directory not being writable
would be resolved since you do not need to run the carthage command (and you
can remove the dependency too).
Your comment about being able to switch to distfiles once a release is made is
not correct if you are referring to submodules. Tarballs from GitHub do not
come with submodules but instead just come with empty placeholder directories
where the submodules would be.
Carthage is much more for development of an app and not for package managers to
invoke.
--
Andrew
