[indiana-discuss] [pkg-discuss] src packages
Mike Meyer
mwm at mired.org
Thu Dec 11 22:23:14 PST 2008
On Thu, 11 Dec 2008 14:24:47 -0600
Nicolas Williams <Nicolas.Williams at sun.com> wrote:
> On Thu, Dec 11, 2008 at 12:34:44PM -0600, Nicolas Williams wrote:
> > On Thu, Dec 11, 2008 at 12:33:23PM -0600, Shawn Walker wrote:
> Suppose we could: a) include everything you need to re-build from source
> as a facet and, crucially, b) that we could have facets that are not
> even downloaded by default. Add in c) suppose that we could represent
> build dependencies much the same way as pkg dependencies (they are,
> after all, very similar).
Then you'd have something that offered the functionality the various
BSD ports systems have had for over a decade.
Note that "include everything you need to rebuild from source"
shouldn't be taken literally. In particular, the source tarball should
probably just have a URL. Ditto for patches that aren't necessarily
ON-specific but haven't been incorporated upstream, though
incorporating them directly needs to work.
Also note that there's a couple of different flavors of build
dependency: There's "I need this tool installed to build", for
something like bison. Then there's "I need access to these source
bits", for things like header files. Both are different from pkg
dependencies (aka run dependencies) in that you can safely remove the
package after building. However, the latter may not require actually
installing the package. You can unpack it in a scratch directory, tell
the package being built where the headers landed, and let it build,
thus saving actually installing that package.
> A related point: for security purposes we're going to want to include
> cryptographic hashes of everything referenced by URL that is needed to
> rebuild a pkg.
Security? How about simply sanity? Trying to rebuild a package that's
been modified by the upstream provider is a good way to drive an end
user crazy. Not all upstream providers provided nicely versioned
tarballs, and not all of those that do have good hygiene about
updating version numbers whenever they update the sources. Of course,
a way to say "ignore this" helps, letting users try the build knowing
that they may not have the right sources. But in that case, they're
expecting breakage.
<mike
--
Mike Meyer <mwm at mired.org> http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
More information about the indiana-discuss
mailing list