On Wed, May 23, 2012 at 07:04:52PM +0100, Chris Rees thus spake:
On 23 May 2012 15:39, Bernhard Froehlich <de...@freebsd.org> wrote:
On 23.05.2012 15:55, Pav Lucistnik wrote:
Pav Lucistnik píše v st 23. 05. 2012 v 15:53 +0200:
Bernhard Froehlich píše v st 23. 05. 2012 v 15:47 +0200:
> On 23.05.2012 15:39, Pav Lucistnik wrote:
> > Martin Wilke píše v st 23. 05. 2012 v 13:34 +0000:
> >> miwi 2012-05-23 13:34:12 UTC
> >>
> >> FreeBSD ports repository
> >>
> >> Modified files:
> >> databases/pg_filedump Makefile
> >> Log:
> >> - Switch to FETCH_DEPENDS to fix fetch during build
> >
> > How is this supposed to work? The log message makes no sense.
>
> The problem that this fixes is when you are building in jails
> and restrict internet access to the "fetch" target like
> pointyhat-west, redports.org and poudriere already do.
Well, the restriction was put in place for a reason 1*), and now you're
working around that very reason. So just remove the restriction from
pointyhat and problem solved.
On a second read, now I see what you're achieving. But still, the chosen
solution seems suboptimal.
On the list of broken ports there are a handful of ports (including this
one) that depend on another ports code (aka working directory). Right now
those ports are written using a dirty hack like that:
from databases/mysql-q4m:
BUILD_DEPENDS=
${NONEXISTENT}:${PORTSDIR}/databases/mysql${MYSQL_VER}-server:build
CONFIGURE_ARGS= --with-mysql="$$(cd
${PORTSDIR}/databases/mysql${MYSQL_VER}-server; ${MAKE} -V WRKSRC)"
We decided to choose the s/BUILD_DEPENDS/FETCH_DEPENDS/ solution because
it doesn't actually make the hack much worse than it already is. The
downside is that it builds during fetch which isn't nice but better than
fetch during build which is a security improvement.
If someone comes up with a better solution without completely rewriting
all those ports I would be glad to help doing it. Right now it looks like
there are around 5-10 ports of that kind.
I'm deeply unhappy about adding ad-hoc fixes like this.
Any comments about [1]? I do think that the fixes already put in
should be reverted in favour of a proper solution.
Alternatively something like (but more hackish):
.for dep in ${PKG_DEPENDS} ${EXTRACT_DEPENDS} ${PATCH_DEPENDS}
${BUILD_DEPENDS} ${LIB_DEPENDS} ${RUN_DEPENDS}
# Check any dependencies with third tuple full, but don't duplicate.
. if !empty(dep:M*\:*\:*) &&
empty(FETCH_DEPENDS:M*\:${dep:C,[^:]*\:([^:]*)\:[^:]*,\1}:\*)
FETCH_DEPENDS+= ${dep:C,[^:]*$,fetch}
. endif
.endfor
Which is better?
Chris
====
[1] http://www.bayofrum.net/~crees/patches/bsd.port.mk-fetch-depends.diff
When I first ported databases/jasperserver, I was told by Pav that it
couldn't be on pointyhat because it fetched post-fetch. I worked with
the vendor to provide a solution that provided the same files that
could be verified, while not compromising the build.
Is there any reason that these projects should be allowed to fetch
post-fetch?
-jgh
--
Jason Helfman
FreeBSD Committer | http://people.freebsd.org/~jgh | The Power To Serve
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscr...@freebsd.org"
