Re: lib dependency confusion

2018-01-12 Thread Daniel J. Luke 
On Jan 12, 2018, at 5:22 PM, Bill Cole 
 wrote:
> All very well and good for a machine running an OS version that got the 
> ShellShock update from Apple.

people probably shouldn't be running an OS version that hasn't been patched for 
a 4 year old vulnerability.

> One of the use cases for MacPorts is to keep older Macs that are physically 
> capable of doing significant work (e.g. as servers) updated in regards to the 
> open source parts of MacOS.

I don't believe MacPorts should be in the business of helping people keep 
vulnerable (unsupported by upstream security patches) systems connected to the 
shared public resource that is the internet. I agree that the hardware is still 
useful and would suggest that there are alternative operating systems that are 
maintained and receive security patches that they could run instead.

-- 
Daniel J. Luke

Re: lib dependency confusion

2018-01-12 Thread Daniel J. Luke 
On Jan 12, 2018, at 3:27 PM, Dave Horsfall  wrote:
> Whether Apple wants to admit that its machines can crash and thereby cream 
> the filesystem is another question...

presumably that's what macOS Recovery is for: 
https://support.apple.com/en-us/HT201314

-- 
Daniel J. Luke

Re: lib dependency confusion

2018-01-12 Thread Ryan Schmidt 

On Jan 11, 2018, at 11:31, Vincent Habchi wrote:

> Alternatively to what Ryan just mentioned, you can statically link the 
> executable, which means that you embed all the code the executable and its 
> dependencies need into the main code. This result in a bigger executable 
> (more code) but less bloated than a full install with has a full-blown copy 
> of all librairies.
> 
> In order to do that, you can link against static archives (.a files) rather 
> than dylibs.

We don't want ports to link to static libraries if linking to dynamic libraries 
is a viable alternative.

Re: lib dependency confusion

2018-01-11 Thread Jan Stary 
On Jan 11 06:23:11, ryandes...@macports.org wrote:
> >>> $ port installed depends:libressl
> >>> None of the specified ports are installed.
> >> 
> >> This result means: of the ports that specify a dependency containing the 
> >> substring "libressl", you don't have any installed. 
> > 
> > OK, what is the right way to ask port(1)
> > 
> > "which of my currently installed ports
> > do depend on the installed libressl"?
> 
> I'm not aware of a way to get the answer to that question,

Well, this seems like a very obvious question
for a package management system, right?