On 2/7/2025 02:15, Dave Allured - NOAA Affiliate wrote:
On Mon, Jun 30, 2025 at 1:48 PM Joshua Root <[email protected] <mailto:[email protected]>> wrote:On 1/7/2025 01:01, Dave Allured - NOAA Affiliate via macports-dev wrote: > Build systems may include features to fetch arbitrary remote code > outside of normal MacPorts controls. An example is FetchContent in > CMake. This can result in unexpected dependency versions and other > surprises. > > What are MacPorts guidelines for allowing or blocking remote fetching? > I could not find an established policy. Should there be one? "Don't fetch anything outside the fetch phase if at all possible." We don't disallow it entirely because there are (unfortunately) some build systems that will not work that way. I don't know how distros like FreeBSD that do completely disallow such behaviour deal with those build systems.Well put. I fully agree with this conservative approach. Thank you for confirming.
BTW, the aforementioned "other surprises" include breaking offline builds and making it impossible for us to mirror all sources. The latter can go beyond causing fetch issues as it can actually be a license violation in some cases if we distribute binaries.
We have a global sandbox_network setting that is off by default due to the potential for breakage. Maybe we should look at changing the default to on and allow overriding it via a Portfile option, so we would at least know which ports are badly behaved.
- Josh
