> On 13 Dec 2021, at 10:48 am, Christopher Chavez <chrischa...@gmx.us> wrote: > > I recently specified bin:node:… build dependency in qt5-qtwebengine. I would > not consider Node.js to be a lightweight dependency, so I thought it would be > preferable to allow using whichever is present, even a non-MacPorts one, > before having to install a fallback; and because I had not investigated > whether the build process would always respect a path:… or port:… dependency. > > It has now been requested that bin:node:… not be used, in light of this > comment: > https://github.com/macports/macports-ports/commit/afad77a86ba6be6572cf0aff35db0b13401196f1#commitcomment-61791005 > > >> A `bin:`-style dependency allows any binary in the path, even in locations >> outside of MacPorts, to satisfy a dependency, which is not usually desired. > > > While I’m somewhat aware why bin:… dependencies are particularly undesirable > for library or runtime dependencies, how strongly does the recommendation to > avoid them apply to dependencies only used during build? Are they to still be > avoided as much as possible, regardless of how heavy the dependencies are or > whether one believes allowing third-party dependencies would not cause any > significant difference in the built port (w.r.t. build reproducibility) nor > pose a risk of build failure?
In my opinion yes, they should be avoided. Just because it is a build dep. doesn’t make a difference, as we want reproducible builds, which means having control over the whole process, and allowing whatever is found in 'bin’ to satisfy a dependency breaks this.
smime.p7s
Description: S/MIME cryptographic signature
