Re: PKGSRC_SETENV?= ${SETENV} -i

[David Sainty <dave%dtsp.co.nz@localhost>]

On Thu, 2013-06-06 at 15:13 +0000, Taylor R Campbell wrote:

> Under the alternative patch I just sent to the list, in message-id
> <20130605202946.52AE760512%jupiter.mumble.net@localhost>, the `env -i' would 
> at
> first apply only to the configure, build, and install phases, so those
> environment variables would pass through to the fetch phase.
> 
> 
> I think we ought to eventually apply `env -i' to fetch and various
> other parts too, with some environment variables whitelisted:
> 
> FETCH_ENV_VARS+=      ftp_proxy
> FETCH_ENV_VARS+=      http_proxy
> FETCH_ENV_VARS+=      https_proxy

I think the fetch phase, in particular, benefits from being able to see
the user's environment unmodified.

The situation for fetching is Very Very different to building phases,
because there's already a repeatability firewall, in the form of
distinfo digests, that makes it impossible for misbehaviour in the fetch
phase to go unnoticed - and so the environment will never have any
bearing on the final contents of the package.

That's the reason why we don't need to clear the environment.  On top of
that, the reason we probably want to Not clear the environment in the
fetching phase is that fetching really is a task that will have
machine-to-machine differences in environmental requirements.

Proxy variables are an obvious example, but at least hypothetically a
site or user may have other environment-driven special needs for
arranging for network requests that we might not guess.  There doesn't
seem to be a benefit to getting in the way of that.

Cheers,

Dave