On Fri, 19 Apr 2024, René J.V. Bertin wrote:
On Friday April 19 2024 22:10:40 Kirill A. Korinsky wrote:
Because MacPorts download distfiles and packages from HTTP, not HTTPS
because it contains checksums for that it downloads :)
Nope. Maybe for distfiles that are hosted on the own servers, but the past few
years more and more ports have had their `master_sites` converted to https URLs.
(With good reason: pure http sites are disappearing little by little.)
A random bit of proof:
DEBUG: fetch phase started at Fri Apr 19 23:04:39 CEST 2024
---> Fetching distfiles for pulseaudio
DEBUG: Executing org.macports.fetch (pulseaudio)
---> pulseaudio-17.0.tar.xz does not exist in
/opt/local/var/macports/distfiles/pulseaudio
---> Attempting to fetch pulseaudio-17.0.tar.xz from
https://www.freedesktop.org/software/pulseaudio/releases/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1529k 100 1529k 0 0 977k 0 0:00:01 0:00:01 --:--:-- 977k
That "proof" is completely (well, almost) irrelevant for end users. It
matters for port developers, but once a port is "published", its distfiles
are copied to the MacPorts mirrors, where they can be fetched by the
system curl on any OS.
The "almost" is because the primary distfile source is still included as a
candidate for fetching, and in some cases may be chosen ahead of the
mirrors. In the non-working curl case, this at the very least adds delay,
but there was a case a couple of years ago where MacPorts decided to
prefer python.org to the mirrors (at my location), and the fetch (on 10.9)
would hang in a way that wasn't subject to a timeout, so it never gave up
and never moved on to the mirrors. The response when I reported this was
"gee, it's supposed to have timeouts". I don't know exactly what got
fixed, but I haven't seen this lately.
Livecheck is completely different, since there's no mirroring of the
content that livecheck is looking at.
Fred Wright
