[libfyaml] new port, [appstream] update to 1.1.2

[brunvonlope]

Supersedes #49474

---

• Changes comply with the maintainer guide.
• SHA512s are updated for each updated download.
• The "supports" clause reflects platforms that may be fixed by this new version, or no changes were necessary.
• Any fixed CI baseline and CI feature baseline entries are removed from that file, or no entries needed to be changed.
• All patch files in the port are applied and succeed.
• The version database is fixed by rerunning ./vcpkg x-add-version --all and committing the result.
• Exactly one version is added in each modified versions file.

[BillyONeal]

Drafting due to build failures in the new port.

[brunvonlope]

@BillyONeal May be in decent shape for review now :)

[dg0yt]

Usually we want to get rid of -Werror.

[brunvonlope]

Could you rephrase? I did not get it

[dg0yt]

AFAIU these lines disable -Wno-error for a particular warning. I see that as a symptom of -Werror being used during the port build. (Correct me if I'm wrong.)

In general, it is not desired to have -Werror in port builds. That flags is a helpful tool in controlled environments (i.e. upstream CI, or actual developer). But it is breaking builds too easily when toolchains, targets and time vary over a wide range.

So I suggest to check the buildsystem and logs for signs of -Werror, and to disable that flag.

[brunvonlope]

appstream uses a lot of -Werror on the main meson.build. I tried passing -Wno-error VCPKG_C*_FLAGS and with meson build options but no success.

The only one that makes to build is disabling -Wno-error=incompatible-pointer-type specifially.

[BillyONeal]

I believe GPT 5.4 is correct about this:

The main review findings are bundled third-party code with likely incomplete license metadata and host-dependent optional components that are not explicitly controlled by the port.

Declared Metadata

• License: MIT — ports\libfyaml\vcpkg.json:6

Build Invocation Summary

• Primary build helper(s): vcpkg_cmake_configure, vcpkg_cmake_install, vcpkg_fixup_pkgconfig, vcpkg_copy_tools, vcpkg_cmake_config_fixup — ports\libfyaml\portfile.cmake:31-44
• Key options: -DBUILD_TESTING=OFF — ports\libfyaml\portfile.cmake:31-35

Vendored Dependencies

• Bundled component: xxHash

  • Evidence: buildtrees\libfyaml\src\...\src\xxhash\xxhash.c; compiled into fyaml via CMakeLists.txt:869; BSD-2-Clause notice in src\xxhash\xxhash.h:9-35
  • Status: installed as part of the shipped library
  • Assessment: bundled third-party code is used in the library, but it is not modeled in ports\libfyaml\vcpkg.json

• Bundled component: Windows getopt

  • Evidence: CMakeLists.txt:1246-1249 adds src\getopt\getopt.c on Windows; fy-tool is installed via CMakeLists.txt:1684-1690 and copied by ports\libfyaml\portfile.cmake:42; BSD-3-Clause text in src\getopt\LICENSE.getopt
  • Status: installed indirectly in the shipped fy-tool.exe
  • Assessment: bundled Windows-only dependency, also not modeled in metadata

• Bundled component: BLAKE3

  • Evidence: CMakeLists.txt:877-907,897 compiles src\blake3\* into fyaml and installs include\libfyaml\libfyaml-blake3.h; installed package contains include\libfyaml\libfyaml-blake3.h
  • Status: installed as part of the shipped library and public headers
  • Assessment: bundled code is definitely shipped; its third-party notice coverage should be reviewed

Optional Dependency Risks

• Dependency / feature: libyaml

  • Evidence: upstream auto-detects it with find_package(yaml QUIET CONFIG) / pkg_check_modules(LIBYAML yaml-0.1) — buildtrees\libfyaml\src\...\CMakeLists.txt:210-227
  • Why it is risky: ports\libfyaml\vcpkg.json does not declare yaml, and ports\libfyaml\portfile.cmake does not explicitly disable or gate it. If present on the host, it changes the build by enabling libfyaml-parser — CMakeLists.txt:1300-1335
  • Suggested packaging change: explicitly disable this path or add a feature/dependency for it

• Dependency / feature: Sphinx

  • Evidence: upstream does find_program(SPHINX_EXECUTABLE) and conditionally installs generated manpages — CMakeLists.txt:1592-1654; otherwise it installs a canned fallback manpage — CMakeLists.txt:1665-1680
  • Why it is risky: installed content varies with host tooling; builders with sphinx-build can install extra manpages that are absent otherwise
  • Suggested packaging change: patch docs off, or force the canned-manpage path for reproducible packaging

License / Installed Content Findings

• Finding: declared MIT appears incomplete for the shipped contents

  • Declared license: MIT
  • Observed installed content: packages\libfyaml_x64-windows\bin\fyaml.dll, packages\libfyaml_x64-windows\tools\libfyaml\fy-tool.exe, packages\libfyaml_x64-windows\share\libfyaml\copyright
  • Evidence: installed copyright is only upstream MIT text; bundled xxHash carries BSD-2-Clause text (src\xxhash\xxhash.h:9-35), and bundled Windows getopt carries BSD-3-Clause text (src\getopt\LICENSE.getopt)
  • Assessment: the port likely needs a broader SPDX expression and/or bundled third-party notices in the installed copyright

• Finding: bundled BLAKE3 code is shipped but not obviously covered by installed notices

  • Declared license: MIT
  • Observed installed content: packages\libfyaml_x64-windows\include\libfyaml\libfyaml-blake3.h
  • Evidence: src\blake3\* is compiled into fyaml and the public BLAKE3 header is installed — CMakeLists.txt:877-907,897
  • Assessment: verify upstream licensing for the src\blake3 subtree and include any required attribution in the package metadata/notices

Other Port Review Suggestions

• Suggestion: consider feature-gating the CLI tool
  • Evidence: fy-tool is always installed by upstream (CMakeLists.txt:1684-1690) and always copied by the port (ports\libfyaml\portfile.cmake:42)
  • Rationale: if the intended default is “library-only”, a tools feature would reduce package surface and avoid always shipping the extra executable

Recommended Follow-ups

1. Audit the bundled xxhash, getopt, and blake3 subtrees and update license / installed notices accordingly.
2. Make libyaml detection explicit: either disable it or model it as a feature with a declared dependency.
3. Remove host-tool variance from docs packaging by explicitly disabling Sphinx-generated docs or forcing the canned-manpage path.

[brunvonlope]

@BillyONeal I appreciate the effort to make a review with the chatbot but would prefer a human, non overly verbose, and actionable review