The ports collection has some serious issues

[Daniil Berendeev]

Hello guys!

First of all, it's not a hate mail, I appreciate all the work done on
the system and I enjoy using FreeBSD every day.

But after some recent experience I'd like to point out some problems
that make using the ports collection uncomfortable and painful.

Some overview before we start:
* Why I use ports over pkg?
Because, generally, packages are built with poor default options, for
example moc isn't able to play .alac/.mod and that's frustrating.

* Why pkg is still nice?
It is able to update packages with broken ABI, it's fast and easy to
use. Some packages/ports don't have options and can be used via pkg by a
ports user.

I want to contribute to FreeBSD development, so, long story short, I've
decided to move to -CURRENT. Everything went fine except the ports upgrade.

Is it possible to upgrade the ports by hand? Well, it is, but it is not
too comfortable. Ports collection by itself doesn't provide a nice way
to work with port management, so a user needs to use something for port
management. As the handbook advised, I picked portmaster.

And here begin the problems.

1) portmaster is not nice for the user.
If it comes over an error even in one little tiny port that is a
dependency for something bigger , it will abort its work and leave all
the other ports not updated. So, if you try to to do `portmaster -af`,
you should not forget `-m DISABLE_VULNERABILITIES=yes` (we will return
to this one later) and you must pray to God for not coming around a
circular dependency or some port that would fail to deinstall its older
version. You can't leave portmaster for a night to update all the needed
ports and deal with broken ones in the morning, you need to cherry pick
the broken ports and ignore them, and then try to deal with them.

Although portmaster is not releated to the FreeBSD project and is an
outside tool, there aren't any alternatives from the project itself. So
use it or die. Not a nice situation.

2) pkg and ports are not in sync.
pkg appeals to build ports that are from 2xxxQx branches. The promoted
tool for syncing ports (portsnap) always fetches from head. And there is
no way to choose. That gives us the next problem:

3) no integration between ports and packages
There is no clear, easy way to use ports and packages simultaneously. If
I'd like to use some built packages to speed up port updates, I have to
ignore by hand all the packages that I want to be built as ports. It's
easier to stick to only ports or only packages.

4) uncomfortable way of rollback
If I want to rollback, or just choose the branch from where the packages
are built (to stay in sync with pkg), I have to pull the whole svn
repository.

5) svn repository.
I don't want to spark a holy war and I don't belong to those type of
people who are always obsessed that something isn't done in their way.
But guys, svn is not a good tool for ports. Just for one reason,
actually (as for me, I could tolerate anything else, but not this one)
-- size. The size of repository is 20G+ and growing. I don't want to
pull 20G+ in /usr/ports just because I need to use ports. It's just
sick. The repository is so big because, as all ya know, svn is expensive
in branch operations. Since you've began to do those 2xxxQx branches the
size of the repository began to grow rapidly. It's inefficient and
uncomfortable. For such a work something like git or mercurial should be
used, they'd fit in 3-4G.

6) broken ports are pushed to head
Why do we have such a situation, when head contains a handful of broken
ports? Why commit a port that won't build? It's sick.
Ports are broken in a different way. Some fail to build. Some fail to
uninstall their older version (like rust), so that you need to do
`pkg remove -f portname; portmaster portname`. Some have a circular
dependency (d-bus) and will try build until the heat death of the
universe. I just don't get it, why broken ports are pushed to head, if
head is then used by portsnap to update /usr/ports? You leave tons of
users with a broken setup. And there is always a bunch of ports that
won't build. It's not just one, or two, it's a handful of ports.
pkg-fallout at FreeBSD.org is overwhelmed with build fails.

7) No way to update ports with broken ABI.
I need to run `pkg update` and then pick the broken ports by hand. Or do
`portmaster -af`.

8) ports with vulnerabilities.
They exist in the tree and on build attempt they shout that they won't
build without DISABLE_VULNERABILITIES=yes. The catch is that there is
always a bunch of ports with vulnerabilities. So if you are doing a
fresh install, you have to install those nasty vulnerable ports anyways.
It causes you to do extra moves and doesn't add no security or safety.
There is no way to pick the latest safe version.

I hope that my mail will produce a productive discussion that will lead
to some good decisions for fixing these problems.

Make ports great again :).
-- 
Cheers~

PGP key fingerprint:
07B3 2177 3E27 BF41 DC65  CC95 BDA8 88F1 E9F9 CEEF

You can retrieve my public key at pgp.mit.edu.