README: add instructions for installing via MacPorts #36
Conversation
|
Hi @herbygillot thanks for adding this - would you be able to provide a short explainer / link of how binaries are published to macports? Binaries should be built and published through GitHub actions to ensure that users have access to the latest version and also can have confidence that between the source on GitHub and the binary they installed via their package manager there has been no tampering. |
Hey @achannarasappa - so the best place to start in regards to your question is the Portfile: https://github.com/macports/macports-ports/blob/master/finance/ticker/Portfile MacPorts is no different from package managers like Ubuntu's apt (apt-get) in that packages can be pre-built and stored as binary packages in the package repositories, or also built on the user's machine at the time of installation. So as per the Portfile above, download source and target version are specified in https://github.com/achannarasappa/ticker/tarball/v2.1.0/ticker-2.1.0.tar.gz (so basically the tarball download of your 2.1.0 release) The integrity of this downloaded source tarball is verified by the checksums you see listed in the Portfile. You can check for yourself that the checksums for the tarball match the checksums listed in the Portfile. In this way, source integrity is verified through 3 different methods (2 hash algorithms + a size check). MacPorts packaging infrastructure only builds and caches packages if and only if integrity checks pass. Once they do, MacPorts infra will build the package and upload to distribution mirrors. When a user does a 'port install ticker', MacPorts checks to see if there is a pre-built package in the MacPorts mirrors, and if not, it will download the source straight from this Github repository, perform the integrity checks mentioned above, then build on the users machine and install the resulting binary into place. So as mentioned, this isn't any different from how software packages are built and distributed for the Linux distros we all know like Ubuntu, Fedora, Alpine and the like. MacPorts is home to over 10,000+ software projects, including the usual suspects like vim, tmux, Go, Rust, Python, and a ton more, and it has been around for quite a long time (longer than Homebrew actually 😅). |
|
In terms of keeping a port up-to-date, usually the maintainer is responsible for this, but you can open a PR to update the Portfile on release. This would involve an update to the version and checksums, and PR is verified by MacPorts CI, then reviewed by community stewards before being committed. |
|
Thanks for the detailed explainer @herbygillot Would you happen to be aware of any tooling to automate publishing or is this typically something custom that app published create themselves? A quick google search didn't yield too many promising results for me This would be a great addition but I feel having automation in place to ensure the latest version is available on macports would be a prerequisite to ensure users always get the latest version |
|
So there aren't any tools that permit for auto-updating ports as far as I know. There are some efforts towards that, but nothing that I could recommend as being ready to use at this moment as of yet. What most project authors do is indicate that releases of their software on 3rd-party package repositories are managed by others, and as such may not always be guaranteed to be up-to-date. In this way, if a user chooses to install via that method, they're making an informed and intentional choice. Examples:
|
|
The model of calling out these may be outdating seems sensible to me. I really appreciate your time and effort in explaining how Macports works to me. I'll (finally) merge this PR now and follow up by adding such a call out as you suggested |
|
No worries, thanks for merging @achannarasappa |
No description provided.