Sat, 27 Feb 2021

1:17 AM - A comparison between mports and FreeBSD ports

MidnightBSD mports started as a refactor of the FreeBSD ports with some influence from OpenBSD many years ago.  For the first few months of the project, we actually had a "ports" that was literally a checkout of FreeBSD ports with a bunch of changes to make things build. It was horribly unreliable and a huge mess.  Chris Reinhardt did a big refactor along with input from Phil Peria and I.  We started moving features into the extensions directory, which FreeBSD is now doing with their Uses directory. We also broke up a bunch of the and bsd.*.mk files into components as smaller chunks to work on and pull them in as necessary. Then the mport package manager prototype in perl happened as a replacement for pkg_tools (pkg_add, pkg_delete, etc).  Chris ported that prototype mostly to C and then I finished the port and wrote the driver program for it.  Chris got it to a point it could install and deinstall packages from the mports tree.  

One of the big design goals we all agreed on as well as our then security officer Adam Karim, was that we wanted to install the package into a directory, which we called FAKE_DESTDIR, and to force all installed mports to be packages and then installed by the tool.  This cut down on installation errors from packages that we frequently had as everything was tested this way.  It was a bit slower in mports, but the benefits outweighed the risks. This wasn't really our original idea and it was inspired by OpenBSD ports at the time. Still, it worked out really well.  As we were trying to adapt FreeBSD ports, we made a bunch of decisions that are still a difference from how FreeBSD ports work today. 

FreeBSD eventually introduced STAGEDIR which aside from being a better name, also works similarly to FAKE_DESTDIR with a few differences.  When we did the change, many ports did not have or honor a DESTDIR directory.  We found that the ones that did would just work if we made the do-install and post-install targets include it in make invocations.  In contrast, FreeBSD often has to add STAGEDIR everywhere to get it to work.  There are cases their way is better such as dealing with ruby gems or similar funky ports.   We have some mechanisms for those problems too.  FAKE_OPTS has a trueprefix option that with change the behavior of the do-install and post-install targets. Sometimes you will see ports that are double appending the DESTDIR  (/usr/mports/mycat/my/port/fake_install/usr/mports/mycat/my/port/fake_install/usr/local) type of nightmares. This works around that.  In some cases PREFIX includes both the DESTDIR and the PREFIX from a makefile sense. This is only true for do-install, post-install, do-fake, post-fake.  So if you have a newer target like ones based on options, it will not apply and you will need to use FAKE_DESTDIR.  If you actually need the PREFIX value without DESTDIR, it's available as TRUE_PREFIX.  

Another difference is the order that different parts of the framework are loaded. This can cause weird bugs if you're trying to copy a freebsd port over.  It's very evident with some of the python ports. Different modules will sometimes fail to save the options selected using the options framework.  It's a combination of the loaading order and the name that is used to distinguish different port options.  In midnightbsd, port names must be unique or it really breaks the package manager index. OPTIONS mostly work the same aside from that bug. 

Fetching distfiles is another area that can differ slightly.  Most of the same features work, but there can occasionally be difficulties fetching from github or gitlab due to the subtle differences in how package names are used in the framework as well as features we're supporting.  Sometimes one just has to add the DISTFILES explicitly or set the git tag to get it to fetch right.  MidnightBSD like FreeBSD includes fetch and libfetch.  Both mports and mport use these to get files.  The MidnightBSD version also includes the OSNAME in the user agent string so you can actually tell it came from MidnightBSD in logs. 

mport package manager doesn't support LUA scripts like pkg.  Most of those trigger operations in the PLIST files. pkg-plist by default.  You will see basic commands like @dir or @mode that work in both.  Some have been augmented in mport with the use of hacks that substitute the commands for @exec or @preexec/@postexec commands in package plists. In other cases, the business logic is in the mport package manager and requires a minimum version. 

on that topic, we recently created a port to install new versions of the package manager.  That meant we needed to put it in it's own repo.  We're bumping the version number based on updates, but mport itself doesn't know about that. Instead it reports the OS version and it's bundle version.  That is the version of the package format and sqlite database schema in use. It gets bumped when we add breaking features.  This used to go out with new OS versions and we're still working on how to manage that going forward. We may add version numbers to the package manager to make it easier to determine in the future. 

We also are looking at adding UCL support to mport. 

Another area where things are quite different is how we build packages, where to find information for them and how to detect security issues in installed packages.  We have magus for package building which is a set of perl scripts included in the mports repository currently along with a postgresql database.   There was some work to rewrite this in java a few years ago but it hasn't been completed.  We also have a few endpoints that return JSON in there for services like repology to use as well as the MidnightBSD app store which is a searchable list of packgages.  the app store also powers metadata in the graphical mport package manager in gtk3.  Then we have the security advisory site which is mostly there to work with a perl script in mports called security-advisory.  It will check installed ports against the website REST api for security issues. it's a bit slow because it fetches vulnerabilites for ALL versions from the API so as to not tip off our server what release you're using for security reasons.  We may know IP x is curious about apache httpd but we don't know what version.  We have considered adding some kind of range to this as apache in particular is very slow to process.  Magus has a web interface but it's optional.  You can actually do a package build just with the perl client that runs on a build node, and the indexer.  We then have a C program called bless that creates a sqlite3 database from the postgres database data for a given run.  We then vacuum it and bzip2 it and put it on the index site.  Finally, we mark it blessed=true in the database which is a signal for the app store and repology that those files are LIVE.