-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
general: support MacPorts as an installation source #1125
Comments
Thanks for raising this @herbygillot. We already maintain a homebrew setup at https://github.com/cue-lang/homebrew-tap, managed via GoReleaser. I'm not super familiar with MacPorts, so forgive the basic questions:
|
So I'm a volunteer maintainer with the MacPorts project. In a sense, MacPorts is an alternative package manager for macOS. It has a different philosophy and mode of operation compared to Homebrew. Software projects and packages are added to MacPorts as ports, which are defined by Portfiles. You are correct that this is the Portfile for
I can't say for sure - there are statistics, but those are from advanced users who knowingly opt-in to have their stats uploaded.
As mentioned before, MacPorts is an alternative to Homebrew. Some folks use Homebrew to manage open source software on their Mac, others use MacPorts, and still some other adventurous folk use both. Adding
Portfiles are kept up-to-date by maintainers. In most cases, Postfiles are marked |
Thanks very much for taking the time to explain, @herbygillot.
To my knowledge (searching Slack and GitHub) we haven't yet had anyone request support for MacPorts. I'm not sure how much to read into that however.
One of the things we really like about |
I think that makes sense. I would imagine that the number of Homebrew users dwarf MacPorts users by a quite a margin. Usually if folks want to see a particular software project added to the MacPorts catalog, they'll put in a request in the MacPorts Trac or send a request through the mailing lists.
Which makes complete sense. Unfortunately |
Hey @herbygillot @myitcv. Just wanted to mention that I'm also using MacPorts over Homebrew for the vast majority of my packages. I'm also willing to maintain the JFYI I opened goreleaser/goreleaser#1556 a while ago but it has been closed for not enough votes. |
Thanks @b4nst. @herbygillot a couple of follow-up questions: How are port files tested? Is there a way in which a port file can be tested prior to it going live? The current portfile appears to actually build |
You can create a Portfile that rely on pre-build binaries, tho it's not a recommended practice. If there is a way to build in the same mode on the end user machine, I strongly suspect a push back from the MacPorts community. It's more seen as an exception rather than an alternative. Regarding tests, before the Portfile being merged (= going live) it has to pass 3 pipelines (2 GithubAction for macos 10.15 and 11, one AzurePipeline for macos 10.14) and be reviewed and merged by a MacPorts maintainer. During deployment or update off the Portfile you can also test it locally. |
Thanks for the detail, @b4nst.
Can you provide some more detail on this? The main reason for me asking is that the official CUE binaries distributed via GitHub will be fully verifiable, built in a controlled environment. So from an integrity perspective, people will be able to precisely verify what binaries they are using.
Thanks, this is useful. Ideally we'd move to a model whereby the source of truth for this file is the main CUE repo, and automation ensures that file is then vendored elsewhere. Hence I was wondering if to help shorten that development cycle there is some way we could test the port file standalone from MacPorts, here in the CUE repo? |
I understand your point and honestly I quite agree with it. I do not have many details on why it has been that way on MacPorts, but my first PR (when I was not aware of that) on MacPorts was refused because it was using pre-built binaries (actually the ones created by goreleaser) instead of sources. They asked me to switch to end-user build before merging. I guess they're trying precisely to avoid relying on external party building the binary, so you always have a way to check the source. From an integrity perspective, the source are often (it's the case for GitHub backed ports) downloaded from an archive and checksum checked. My understanding is that if you don't set
Yup, I don't see why it would not be technically feasible. You can build and test a Portfile locally, so you can also do it on your CI Pipeline (like with a dedicated GithubAction Workflow for example). And that workflow could be the one in charge of creating the PR on MacPorts when everything has been tested and validated "locally". |
Thanks, it's exactly for this reason that I'd like to probe this a bit more. We're absolutely not against third parties building CUE, but it needs to be built consistently, i.e. resolving Indeed if third parties build in the same way as |
Hello @b4nst and thank you for breaking things down here. I think adding MacPorts support to GoReleaser is definitely an important discussion in its own right. I will chime in on the issue you opened, but it may merit discussion in the MacPorts mailing lists. So @myitcv, MacPorts does have a preferred philosophy around building software:
Basically MacPorts wants to be the one doing the download, verification and distribution of both project and dependency assets, for a number of reasons, including trust, and also the ability to continue to build the port even if the original upstream dissapears (because it can mirror all the dependency assets to MacPorts mirrors, and then MacPorts can download from these mirrors when a user requests the given port to build the target software, even if upstream isn't available). MacPorts defines phases for building a piece of software: Canonically, Go software is supposed to use what's called the
This is how the current All this is done for reasons of reproducibility, consistency, security and more. However there are definite exceptions - many Go ports are too onerous to make work with Compared to having MacPorts distribute a pre-built official The downside with That said, I have added Here's what the Portfile looks like from this PR: https://github.com/macports/macports-ports/blob/ed35bd934e1e0c9c7f1a7050abec002266c832c5/devel/cue/Portfile |
Off topic: How does MacPorts deal with retracted modules? (https://golang.org/ref/mod#go-mod-file-retract) With all of the modules being listed and mirrored, would information like this be potentially missing? Does this mean they replicate a common behavior checking for this type of thing across languages? |
To be clear, The modules specified in the Portfile's So if a new version of something is released that retracts one or more module versions, everything still works as expected. You would update |
macports/macports-ports#11783 has been merged. |
I think we're slightly talking past each other here :) Which is unsurprising, because there is a good deal of nuance in all these sorts of discussions. I'll try and explain my point a slightly different way. On a related point, how is Go itself installed via MacPorts?
My main concern with this approach is that following the MacPorts philosophy establishes a different mode of reproducibility, consistency etc to the officially distributed binaries. As I mentioned in #1125 (comment), we're absolutely not against third parties building CUE, but I'm trying to push for everyone to do it consistently.
Go development of publicly accessible code now almost exclusively relies on the public proxy and checksum db. It seems sensible therefore for builds of Go modules like CUE to depend on that infrastructure, infrastructure that is then consistent between a user's development environment and the setup used to build/install development tools. That seems easiest done by installing the officially distributed CUE binaries, but if MacPorts prefers to install from source, then following the same build approach as the official install mechanism, The acid test of whether the build result is correct is to confirm the output from If jumping on a call is the easiest way to talk this through I'd be happy to setup some time. |
MacPorts builds Go from source using the officially documented build process into the MacPorts prefix ( A user then installs Go using the same MacPorts Go will then be available at
When a user does
This is exactly what we are doing now. We're building
As requested:
This may be possible, but I'm not 100% sure, as MacPorts requires a macOS base image + special tooling to run in CI. I don't have enough experience setting that up to give guidance here at this current moment. |
Compared
They're identical, with the only difference being the version of Go each was built with; MacPorts is using the latest version of Go ( |
Running MacPorts from a GitHub action seems doable fwiu. GitHub has macos runners and there look to be (outdated) Compiling with different Go versions produces different binaries (and code) due to differences in the std library (at a minimum). I would imagine we need to ensure the Go version is the same as well.
|
@herbygillot apologies for the delay here. Whilst not totally insignificant (because of potential bugs, security issues, performance etc), the Go version difference can be ignored. Out of interest, if a user bumps their Go version, are all packages that build Go binaries rebuilt? Thanks for including the output. The significant line in what I quote below is the last one:
i.e. we have no version information for the CUE module itself, and that's the critical bit.
I suspect I have confused the discussion here. My initial reference to But just to reemphasise, building CUE from source in the official way does not require
Notice the version and checksum information associated with Recent changes to the CUE project's Hence my suggestion would be that Regarding updating of the portfile with new releases. Is there any tooling we can leverage to automate that process? I'm thinking something along the following lines: https://github.com/mislav/bump-homebrew-formula-action. How are changes to the portfile controlled? |
Raising off the back of #1121, to capture discussion about whether we add MacPorts support or not.
I know nothing about MacPorts, so will flesh out this description based on replies below.
Is your feature request related to a problem? Please describe.
TBC
Describe the solution you'd like
Support for MacPorts as an installation source:
Describe alternatives you've considered
TBC
Additional context
n/a
@herbygillot - I would be grateful if you could help to flesh out the points above.
The text was updated successfully, but these errors were encountered: