'port fetch outdated' upgrades ports

[Lord-Kamina (Gregorio Litenstein)]

I am currently updating to Ventura (slowpoke, I know), and preparing to eventually upgrade macports. I reason since I'll have to reinstall everything again anyway, I didn't want to waste time actually building anything.

I ran port selfupdate and now wanted to fetch the updated distfiles for installing later.

So, I ran port fetch outdated but to my surprise, it began upgrading ports as well, without my asking it to.

Addendum: It seems adding the -n option makes it behave as expected.

[Lord-Kamina (Gregorio Litenstein)]

partial log with output of port -d fetch outdated

[jmroot (Joshua Root)]

By design, the ports listed in depends_fetch are installed or upgraded before running the fetch target.

[ryandesign (Ryan Carsten Schmidt)]

The lines in the log beginning with ---> are:

--->  Computing dependencies for aom
--->  Computing dependencies for libksba
--->  Fetching distfiles for libksba
--->  Verifying checksums for libksba
--->  Checksumming libksba-1.6.7.tar.bz2
--->  Extracting libksba
--->  Extracting libksba-1.6.7.tar.bz2
--->  Configuring libksba

This made me think that it decided that libksba was in the fetch dependency chain of aom. But the only fetch dependency the aom port has is bin:git:git. That should have been satisfied by the git already included with macOS; no port dependencies should have needed to be checked or upgraded. And if for some reason it did decide to check the git port and its dependencies, libksba is not in the recursive dependencies of git—at least not with default variants. So in fact the message "Computing dependencies for aom" is not the whole truth. Yes, it did compute aom's dependencies, finished dealing with aom, and moved on to other ports without telling us. That feels like a bug.

Ultimately it looks like libksba is being upgraded because gnupg2 depends on it, and your ghc port is outdated, and ghc has a fetch dependency on the gnupg2 port because it uses the gpg_verify portgroup​.

It seems like the gpg_verify portgroup shouldn't need to declare gnupg2 as a fetch dependency. It does not use gnupg2 at fetch time. It offers a gpg_verify.verify_gpg_signature procedure which ports can call to verify a GPG signature. The ghc port calls this in a post-checksum block. MacPorts doesn't have checksum-specific dependencies; the dependency type that precedes the checksum phase most closely is fetch. But there's no particular reason why signature verification needs to happen in post-checksum. It could just as easily happen in pre-extract so that gnupg2 could become an extract dependency instead.

It seems like a design flaw of the gpg_verify portgroup to leave the decision of when to run gpg_verify.verify_gpg_signature up to the port. The portgroup should be the one to dictate that it happens at pre-extract time.

[jmroot (Joshua Root)]

IMO the functionality of the gpg_verify portgroup is not something that belongs in Portfile code in the first place. It would make much more sense as an external helper script that the maintainer can run when updating the port.