Opened 4 months ago
Last modified 4 months ago
#70472 new defect
'port fetch outdated' upgrades ports
Reported by: | Lord-Kamina (Gregorio Litenstein) | Owned by: | |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | base | Version: | 2.9.3 |
Keywords: | Cc: | essandess (Steve Smith) | |
Port: |
Description
I am currently updating to Ventura (slowpoke, I know), and preparing to eventually upgrade macports. I reason since I'll have to reinstall everything again anyway, I didn't want to waste time actually building anything.
I ran port selfupdate
and now wanted to fetch the updated distfiles for installing later.
So, I ran port fetch outdated
but to my surprise, it began upgrading ports as well, without my asking it to.
Addendum: It seems adding the -n
option makes it behave as expected.
Attachments (1)
Change History (4)
Changed 4 months ago by Lord-Kamina (Gregorio Litenstein)
comment:1 Changed 4 months ago by jmroot (Joshua Root)
By design, the ports listed in depends_fetch are installed or upgraded before running the fetch target.
comment:2 Changed 4 months ago by ryandesign (Ryan Carsten Schmidt)
Cc: | essandess added |
---|---|
Keywords: | port fetch outdated removed |
The lines in the log beginning with --->
are:
---> Computing dependencies for aom ---> Computing dependencies for libksba ---> Fetching distfiles for libksba ---> Verifying checksums for libksba ---> Checksumming libksba-1.6.7.tar.bz2 ---> Extracting libksba ---> Extracting libksba-1.6.7.tar.bz2 ---> Configuring libksba
This made me think that it decided that libksba was in the fetch dependency chain of aom. But the only fetch dependency the aom port has is bin:git:git
. That should have been satisfied by the git
already included with macOS; no port dependencies should have needed to be checked or upgraded. And if for some reason it did decide to check the git port and its dependencies, libksba is not in the recursive dependencies of git—at least not with default variants. So in fact the message "Computing dependencies for aom" is not the whole truth. Yes, it did compute aom's dependencies, finished dealing with aom, and moved on to other ports without telling us. That feels like a bug.
Ultimately it looks like libksba is being upgraded because gnupg2 depends on it, and your ghc port is outdated, and ghc has a fetch dependency on the gnupg2 port because it uses the gpg_verify portgroup.
It seems like the gpg_verify portgroup shouldn't need to declare gnupg2 as a fetch dependency. It does not use gnupg2 at fetch time. It offers a gpg_verify.verify_gpg_signature
procedure which ports can call to verify a GPG signature. The ghc port calls this in a post-checksum block. MacPorts doesn't have checksum-specific dependencies; the dependency type that precedes the checksum phase most closely is fetch. But there's no particular reason why signature verification needs to happen in post-checksum. It could just as easily happen in pre-extract so that gnupg2 could become an extract dependency instead.
It seems like a design flaw of the gpg_verify portgroup to leave the decision of when to run gpg_verify.verify_gpg_signature
up to the port. The portgroup should be the one to dictate that it happens at pre-extract time.
comment:3 Changed 4 months ago by jmroot (Joshua Root)
IMO the functionality of the gpg_verify portgroup is not something that belongs in Portfile code in the first place. It would make much more sense as an external helper script that the maintainer can run when updating the port.
partial log with output of port -d fetch outdated