The ports collection has some serious issues
vlad-fbsd at acheronmedia.com
Thu Dec 8 10:06:02 UTC 2016
On 2016-12-08 06:16, Daniil Berendeev wrote:
> * Why pkg is still nice?
> It is able to update packages with broken ABI, it's fast and easy to
> use. Some packages/ports don't have options and can be used via pkg by
> ports user.
Yes, and I'll echo what Matt said previously, and suggest Poudriere.
I've been using it exclusively for over a year and I've observed it
cleanly rebuild ports others have had hell of a time with, with
portmaster, eg. Perl upgrades.
Working with pkgs you pre-built yourself is the most atomic and flexible
way to have and use the ports ecosystem.
> 2) pkg and ports are not in sync.
> pkg appeals to build ports that are from 2xxxQx branches. The promoted
> tool for syncing ports (portsnap) always fetches from head. And there
> no way to choose. That gives us the next problem:
There is way to choose. You can change your pkg repo to "latest" via
/etc/pkg/FreeBSD.conf, or even better override it into
/usr/local/etc/pkg/repos/FreeBSD.conf (will need to create last two
dirs). See pkg.conf(5) for more info.
And that's if you use the official FreeBSD pkg builds. Another good
reason to use Poudriere and build pkgs yourself.
> 6) broken ports are pushed to head
> Why do we have such a situation, when head contains a handful of broken
> ports? Why commit a port that won't build? It's sick.
Well, that's normal? A little fact often neglected is that the HEAD is
ultra-unstable-we-just-committed-here-use-at-your-own-risk repos of some
Linux distros are.
I mean, they are the FIRST landing point of a change. And the only QA we
ask for that change is a confirmation that poudriere and portlint have
been run, the rest is at liberty of committers how far they'll go with
own testing before they commit. For many, only builds against -CURRENT
or latest -RELEASE are done because it's very time consuming to test
against all supported FreeBSD versions, and not just versions but
various permutations like different pythons etc... When it comes to some
defaults like OpenSSL (or any kind of dependency on it), all of those
tests are required.
The problem is, FreeBSD doesn't have a STABLE repo that would receive
gradual updates from HEAD as they prove themselves stable. QUARTERLY !=
STABLE, it's just a snapshot of whatever state HEAD is in, with a loose
promise the ports in it will receive "security and bugfixes only" but
that's a separate set of issues.
There are some solutions and we don't have to NIH or reinvent the wheel.
Just looking at what other open source projects do with, say, GitHub and
continuous integration testing, every pull request gets an automated
test. Why don't we do that? Is it difficult to implement it?
I am also convinced that such testing can be automated and a true
"STABLE" repo can be made instead of manual QUARTERLY that breaks
> 8) ports with vulnerabilities.
> They exist in the tree and on build attempt they shout that they won't
> build without DISABLE_VULNERABILITIES=yes. The catch is that there is
> always a bunch of ports with vulnerabilities. So if you are doing a
That's just a nature of it, and the consequence of VuXML being a
separate port that gets often updated first, as it's better to announce
the vuln before it was fixed. And fixing is bound to maintainer
timeouts, poor issue tracking via Bugzilla, etc...
> I hope that my mail will produce a productive discussion that will lead
> to some good decisions for fixing these problems.
Probably not. I've already posted about issues with head/quarterly,
hoping for a discussion, never happened. Others have complained about
the same problem, but no constructive discussion ensued. Is my
frustration coming through, yet? :)
More information about the freebsd-ports