the libfetch twisty maze

To: tech-pkg%netbsd.org@localhost
Subject: the libfetch twisty maze
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Thu, 21 Dec 2023 09:50:22 -0500

As part of the pkg_install-verify-https discussion I went to understand
libfetch and the dependency chain of how this relates, and these are my
notes.  As will shock no one, the situation is underdocumented in a few
places.

I don't want to sprinkle comments in freeze as I try to only fix things
that are broken, but let me know if any of this is off as I'll probably
add them post-freeze as I get to it.

  pkgsrc/net/libfetch is the authoritative location for libfetch.  But it
  doesn't say that.

  The libfetch package does not build shlibs.  This seems irregular and
  contrary to our "don't vendor things" norms.  There is no comment
  explaining why.

  netbsd:src/external/bsd/fetch has the files from pkgsrc imported.  It
  builds shlibs, even though the package does not.  This isn't really
  irregular, but it points out that the package not having shlibs is.

  pkg_install does not depend on libfetch, but copies the files in.  This
  is also irregular, and is almost certainly about bootstrapping, but it
  doesn't say that.

  pkgin bl3s libfetch, but it's a static lib so ends up in the pkgin
  binary.  It's hard to verify this, and one can infer it only by seeing
  libfetch as blddep and no fetch as a required shlib.

  pkgin DEPENDS on pkg_install, rather than using some kind of
  bl3/runtime, so it always forces the installation of and use of pkgsrc
  pkg_install, even if base pkg_install is new enough.  pkgin requires
  20200701.  In NetBSD 10 there is 20210410 and pkgsrc is at 20211115.

And then thoughts about the future, assuming we change libfetch and
pkg_add to validate https.  Again, please explain if this is off.

  I don't see pkgin needing the new pkg_install because as I understand
  it, pkgin gets packages and calls pkg_add locally.

  pkgsrc does not actively protect people from having old packages, and
  does not demand that all packages be up to date.  We only require
  recent enough versions to have compatible API/ABI.  This is more or
  less doctrine.  So, I don't see us changing the required version of
  pkg_install in mk because of this; it is currently at 20191008 for
  USE_PKG_ADMIN_DIGEST.  This results in "As always, if you care about
  having all the bugfixes, you should ensure that all your software is
  up to date".  People who use "pkgin upgrade" and people who use
  pkg_rolling replace will get new code.  (NetBSD 10 release notes, if
  those responsible for them wish, can advise removing old pkgsrc
  pkg_install.)

Prev by Date: Re: increasing cmake requirement?
Next by Date: Re: increasing cmake requirement?
Previous by Thread: 2023Q4 freeze has started
Next by Thread: Two macOS fixes
Indexes:

Home | Main Index | Thread Index | Old Index