search

freebsd / poudriere

Port/Package build and test system
https://github.com/freebsd/poudriere/wiki
BSD 2-Clause "Simplified" License
393 stars 162 forks source link

Optionally rebuild packages when BUILD_DEPENDS is updated #1034

Open yurivict opened 1 year ago

yurivict commented 1 year ago

What is your proposal?

Add a boolean option to poudriere.conf to rebuild packages when any BUILD_DEPENDS is updated.

What is the existing behavior, if any?

Only RUN_DEPENDS triggers rebuild.

What is the motivation / use case for the change?

Some languages, like Golang and Rust, statically build binaries with their libraries.

There is a concern that some security fixes or other improvements don't get propagated into binaries that are built.

Currently there is a choice to bump all dependencies during Golang or Rust port update. But this choice is on update-by-update and port-by-port basis. It is better to have a general Poudriere option that would make dependencies rebuild.

See the relevant conversation thread for ports commit cf25897f304ef0251fdc238c9d13ea3b1b6dad16

bdrewery commented 1 year ago

With #822 we won't force rebuild anything on a RUN_DEPENDS update either. A PORTREVISION chase will be needed. Poudriere is not the only tool be used either. I do think that there is a flaw that changed BUILD_DEPENDS are not considered now but given the direction of #822 I don't know that it makes sense to add it in now or to make it default on the official builders. The goal of #822 is to reduce needless rebuilds. Only the committer knows if a change to a port requires a chased rebuild. Plenty of commits do not. Perhaps it is not easy enough to do a PORTREVISION chase?

bdrewery commented 1 year ago

Also having said that the guidance should be that "With a mindset of reproducible packages, anything that changes downstream packages should have a PORTREVISION chase". If lang/go is updated and has an effect on go packages binaries then a chase is needed.

yurivict commented 1 year ago

But regardless of which approach is chosen, making such behavior optional and configurable through poudriere.conf takes the burden of such decision from Poudriere and moves it to whoever runs Podriere.

bdrewery commented 6 months ago

Something I forgot to mention is that if we rebuild something it does not mean pkg upgrade will care and reinstall it. The goal of #822 is to only build what pkg upgrade will care about. It does no good to rebuild for a static library security issue if pkg uprade won't do something about it. We need more thought here rather than simply making Poudriere do a rebuild. Personally in my automated build/upgrade setups I would never know I need to go pkg install -f lang/go. I'm open to changes here but we need something smarter (less manual).