Commit 3940c5c makes a replacement for ‘file’, so that the new version of file (5.20), which fixes a security vulnerability, is now grafted onto packages that are installed.
I wonder if using a replacement makes sense here, because few packages actually retain a dependency on ‘file’, and since grafting is conservative, we graft anything that might retain a dependency on ‘file’, which means everything. What about this other option: make another public package, ‘file-5.20’, next to ‘file’, such that when a user explicitly installs ‘file’, they get the new one? That won’t address people referring to ‘file’ (the variable) in their OS configuration, though. Thanks, Ludo’.
