pianobar @2011.11.11-1 Update pianobar to 2011.11.11 build

[zheaton@…]

Update pianobar to the most recent github release, which fixes authentication errors, makes TLS connections the default, and embeds the Pandora certificate fingerprint. Note that this is more recent than the 2011.11.11 snapshot posted on the Pianobar homepage.

[zheaton@…]

Portfile patch

[ryandesign (Ryan Carsten Schmidt)]

We would prefer to fetch from a distfile rather than from git. Why is the 2011.11.11 release not sufficient -- which changes made since then do we absolutely need? It might be preferable to express those changes as patchfiles to the 2011.11.11 source. Or just wait for the next release; if the changes are essential, surely a new release is imminent.

[zheaton@…]

The primary advantage of the current git snapshot over the 2011.11.11 release is simplified configuration. The 2011.11.11 release requires the user to manually export the TLS certificates used to authenticate Pandora and set up a configuration file pointing at the certificates. The current github snapshot eliminates that step by embedding the Pandora certificate fingerprint directly in the application.

That said, if there is a strong preference for using snapshots instead of git, it probably makes more sense to wait for a new snapshot.

[ryandesign (Ryan Carsten Schmidt)]

revised patch

[ryandesign (Ryan Carsten Schmidt)]

It looks like there's just ​a single upstream revision we need for that. So here's patch to use the 2011.11.11 distfile, plus that patch.

[fitzmorrispr@…]

Cc Me!

[aguynamedryan+macports@…]

Replying to ryandesign@…:

Thanks zheaton and ryandesign for the patches!

pianobar-2011.11.11.diff works for me, though I don't understand why distfiles are preferred over fetching via git. Is there some documentation on this?

[ryandesign (Ryan Carsten Schmidt)]

Replying to aguynamedryan+macports@…:

pianobar-2011.11.11.diff works for me,

Committed in r87249.

though I don't understand why distfiles are preferred over fetching via git. Is there some documentation on this?

When you fetch from a version control system instead of a distfile, we cannot use checksums to verify the distfile's integrity and verify that it has not changed since the port was written. And if there is no distfile we cannot mirror it on our network of distfiles servers. This means if the original server goes down, the port can no longer be fetched or built.

zheaton's patch specified the git.branch to use, but if, like many port authors, you forget to specify the branch or revision, then the build is not reproducible: users building the port one day get different software than users building the port another day, though the port version has not changed. This is what the guide means when ​it says "fetching via (a version control system) may cause non-reproducible builds, so it is strongly discouraged"

The buildbot (and the distfiles mirror) lives on a restricted network that can only fetch from http and https URLs, so when fetch from a different kind of URL (i.e. a git: URL or an ftp: URL) the buildbot cannot fetch the port and thus cannot build it. (Many GIT repositories are thankfully available at http: or https: URLs.)

See also ​a recent message on macports-dev in which Landon, who first added to MacPorts the ability to fetch from CVS, reiterates his feeling that doing so was a mistake and that it should not be used in its present form.

Therefore, if at all possible, let's use distfiles instead of fetching from a version control system.