selfupdate should fetch tarball over HTTP

[raimue (Rainer Müller)]

The selfupdate method currently gets base.tar via rsync, checks the .rmd160 signature, extracts it and then compares the version. This has the drawback that it always downloads the base source code (at least once) and keeps it on disk. Furthermore rsync might not be available for users behind firewalls, making selfupdate impossible for them at the moment.

Instead selfupdate should do the following:

1. Download a single file indicating the latest version (similar to ​macports_version)
2. Compare the latest version available with the current installed version. If latest version is installed, goto end.
3. Fetch the tarball and .rmd160 signature from ​a mirror with the filenames MacPorts-${version}.tar.bz2{,.rmd160}
4. Verify signature
5. Extract source, build and install
6. After successful installation, delete tarball, .rmd160 signature file and extracted source

The advantages of this approach:

• The version is compared before downloading any files
• Tarballs are only downloaded if a newer version is available
• Fetch works over HTTP and thus allows operation behind firewalls

[ryandesign (Ryan Carsten Schmidt)]

But this problem would go away and solve itself if we replaced the selfupdate mechanism with just using the MacPorts port, as proposed in wiki:SummerOfCode#self-management

[larryv (Lawrence Velázquez)]

Cc Me!

[raimue (Rainer Müller)]

I found this old patch lying around, which I write quite some time ago. It is a work in progress and mostly untested, but it can be used as a starting point if someone else wants to pick it up.

[raimue (Rainer Müller)]

Has duplicate #16954.

[jmroot (Joshua Root)]

WIP PR that was linked from duplicate ticket ​https://github.com/macports/macports-base/pull/184

[neverpanic (Clemens Lang)]

In dd3acc4b974d274d922b705a9115ba1dc786104f/macports-base (master):

macports1.0: Selfupdate using HTTP(S)

Refactor the selfupdate package into smaller functions and switch to
a control flow of:

1. checking for newer versions by downloading a single URL
2. downloading the new version using HTTP when available
3. verifying the signature using EdDSA with ed25519 elliptic curve crypto with the help of OpenBSD's signify(1)
4. Fall back to the old rsync method if the above fails.

This allows us to automatically fall back to other mirrors should our
main mirror not be available. We did not have this functionality
available for our previous rsync-based mechanism.

Additionally, the use of our standard curl wrapper enables displaying
a progress bar for the download and automatically uses any proxies that
might already be configured for HTTP.

Since we currently do not have a standard mechanism to sign the source
code tarballs uploaded to our distfiles server and github releases page
(we only sign the tarball pushed to rsync), I've taken the liberty to
introduce a new modern signature scheme for this channel – if we have to
touch this anyway, we might as well use modern tools and algorithms.

Co-authored-by: Joshua Root <jmr@…>

Closes: #38265
Closes: ​https://github.com/macports/macports-base/pull/184