On Dec 13, 2021, at 04:48, Christopher Chavez wrote: > I recently specified bin:node:… build dependency in qt5-qtwebengine. I would > not consider Node.js to be a lightweight dependency, so I thought it would be > preferable to allow using whichever is present, even a non-MacPorts one, > before having to install a fallback; and because I had not investigated > whether the build process would always respect a path:… or port:… dependency. > > It has now been requested that bin:node:… not be used, in light of this > comment: > https://github.com/macports/macports-ports/commit/afad77a86ba6be6572cf0aff35db0b13401196f1#commitcomment-61791005 > > >> A `bin:`-style dependency allows any binary in the path, even in locations >> outside of MacPorts, to satisfy a dependency, which is not usually desired. > > > While I’m somewhat aware why bin:… dependencies are particularly undesirable > for library or runtime dependencies, how strongly does the recommendation to > avoid them apply to dependencies only used during build? Are they to still be > avoided as much as possible, regardless of how heavy the dependencies are or > whether one believes allowing third-party dependencies would not cause any > significant difference in the built port (w.r.t. build reproducibility) nor > pose a risk of build failure?
I stand by my statement. If a user already has "node" installed outside of MacPorts, you know nothing about it. Perhaps it is an ancient version the user installed 10 years ago and forgot about. Perhaps it's compiled for an architecture that doesn't run on this OS version anymore. Perhaps it's linked with libraries that the user has since removed. To increase the chance of a successful build that is the same as the one the maintainer intended to happen, use MacPorts ports as dependencies rather than whatever random thing might exist on the user's system.
