On Mon, Aug 27, 2018 at 12:02:33AM -0500, Bruce Dubbs wrote:
> On 08/26/2018 08:56 PM, Ken Moffat wrote:
>
> You know that cpan fetches the sources, checks dependencies, builds the
> packages and runs the tests, right? The difference is that the process is
> handled by cpan and automated. At the end, I have all the source tarballs
> that were used to build the modules.
>
> It's not like just fetching already built *.pm files.
>
> In a lot of ways cpan is a lot like jhalfs.
>
Does it not download _all_ the packages marked as dependencies, even
if thge package will build and test ok without them ? e.g. Net::DNS
has Digest::Hash (I think it was) as a prerequisite although it
builds and tests ok without and therefore I did not add it to the
book.
And does it pick up security-related newer versions ? One of the
deps pulled in by biber had a "be cautious, treat it as a security
update even though there are no known exploits" update (a reversion
of something that got committed a few revisions before, although I
think only my build earlie this month had used a 'vulnerable'
version. Or does it, given the chance, just refresh everything
which has a newer version ? If so, bad luck if the newer version
has issues.
The point is, for people who care it is necessary to look at what
changed. Also, if you look at fedora and Arch, they tend to pull in
all the possible deps, which at least shows what is needed.
Oh, and many of the *.pm files are technically already built, they
just get copied. But some 'distributions' (the perl name for what
we call modules, because they might have multiple modules in them)
do compile code. Building Tk was particularly revealing.
--
Entropy not found, thump keyboard to continue
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
