As the idiot responsible for how the framework actually works, I'm always running with keepenv.
Building ports by hand always end up installing *whatever* as root, so I don't see nopass as much of a security risk either. Heck, you're going to put that shit in /usr/local/bin and run it anyway. PORTS_PRIVSEP is a much better security measure. Preventing ports from accidentally accessing the network or writing all over the system is good. The main reason PORTS_PRIVSEP is not the default is that it requires some awkward setup (fix-permissions) and that you definitely need some scripts to handle editing files as the right guy (or put yourself in the right group.... in any case, you have to do stuff correctly to handle ports). Ports has a somewhat low entry barrier compared to other parts of the system, but a secure setup still requires some basic understanding of things. At some point, either you put in the work, or just use the darn packages.
