macports-ports icon indicating copy to clipboard operation
macports-ports copied to clipboard

Published 20 hours ago verified publisher icon macports

p5-http-message: remove dependency on p5.34-io-compress-brotli

Open lukaso opened this issue 1 year ago • 7 comments

Description

Remove dependency on problematic port p5.34-io-compress-brotli as it can't be supported and isn't critical.

https://trac.macports.org/ticket/65496

Type(s)
  • [x] bugfix
  • [ ] enhancement
  • [ ] security fix
Tested on

macOS x.y Xcode x.y / Command Line Tools x.y.z

Verification

Have you

  • [x] followed our Commit Message Guidelines?
  • [x] squashed and minimized your commits?
  • [x] checked that there aren't other open pull requests for the same change?
  • [x] referenced existing tickets on Trac with full URL in commit message?
  • [ ] checked your Portfile with port lint --nitpick?
  • [ ] tried existing tests with sudo port test?
  • [ ] tried a full install with sudo port -vst install?
  • [ ] tested basic functionality of all binary files?
  • [ ] checked that the Portfile's most important variants haven't been broken?

lukaso avatar Feb 10 '24 12:02 lukaso

this doesn't appear a correct solution. If the package is a dependency of this port you cannot just remove it - likely something else here will break. @ryandesign has suggested a possible fix in the Trac ticket to fix the broken package, so likely that should be attempted instead.

reneeotten avatar Feb 10 '24 12:02 reneeotten

this doesn't appear a correct solution

@reneeotten agreed.

@ryandesign has suggested a possible fix

I should have mentioned in the ticket (and have now): I've been building with parallel builds for a long time and it was working, but now the problem has resurfaced. Whatever race condition, I think it was being masked by turning off parallel builds. The problem isn't solved.

This is what I've done for my purposes, but then this dependency is very far down a long list of dependencies for me.

lukaso avatar Feb 10 '24 13:02 lukaso

It's fine to do that for your own purposes but isn't something we should merge in to the MacPorts project. If someone has interest in this it should be fixed properly.

reneeotten avatar Feb 10 '24 14:02 reneeotten

Just FYI for someone who comes by later. Brotli is not required: https://github.com/libwww-perl/HTTP-Message/blob/48e013943b21a310f3ad18d1cdc7fcf17d76e78b/cpanfile#L27

lukaso avatar Feb 10 '24 15:02 lukaso

Just FYI for someone who comes by later. Brotli is not required: https://github.com/libwww-perl/HTTP-Message/blob/48e013943b21a310f3ad18d1cdc7fcf17d76e78b/cpanfile#L27

okay, well that changes the situation of course a bit ;) Still not ideal, but if it isn't a required dependency then I guess i could be removed to have the p5-http-message port build correctly.

reneeotten avatar Feb 11 '24 05:02 reneeotten

It looks like the brotli version is out of date and has a vulnerability as well. https://github.com/timlegge/perl-IO-Compress-Brotli/issues/3

lukaso avatar Feb 11 '24 06:02 lukaso

It looks like the brotli version is out of date and has a vulnerability as well. timlegge/perl-IO-Compress-Brotli#3

Just for clarity, the latest IO::Compress::Brotli includes an up to date version of Brotli that is no longer vulnerable. I saw a reference in the package file in the port to using the system version of Brotli. If that version is from a macport you should also ensure that it is an up to date version.

I am pretty sure I built IO::Compress::Brotli 0.17 on a mac and it regularly builds via the Perl smokers. Happy to help if anyone has a full build log that I can review.

timlegge avatar Feb 11 '24 19:02 timlegge

@lukaso okay, if it's not required then we can remove it. However, since you're changing a depends_lib you will need to increase the revision.

reneeotten avatar Feb 25 '24 16:02 reneeotten

ping @lukaso

reneeotten avatar Mar 06 '24 15:03 reneeotten

ping @lukaso

Done

lukaso avatar Mar 06 '24 23:03 lukaso