Hello Hartmut, Hartmut Goebel <[email protected]> skribis:
> My concerns are not about building, but about installing. A concrete > example: > > * Ansible is a Python program running ssh via a path to > /gnu/store/…-openssh-8.0p1/bin/ssh > * Mary installs ansible. > * Now openssh shows a serious bug and Mary updates openssh using "guix > -u openssh" > > Obviously this will *not* update ansible, and ansible will still use the > old, vulnerable version of openssh. > > OTOH, if ansible would run ssh via $PATH, ansible would pick up the new > version of openssh. The whole idea of functional software deployment is that it’s stateless: you can tell that /gnu/store/…-ansible-1.2.3 will always behave the same, no matter what other programs are available on your machine. Introducing “dynamic binding” (e.g., looking up programs in $PATH) would allow for faster security updates in the example you gave, but that would be at the expense of that core property I described above. It would be a regression. I think what we need in this case is (1) fast security updates, which is what grafts help us achieve, and (2) documentation that clarifies what the deployment model is, such that Mary would know that ‘ansible’ also needs to be upgraded in the example above. Ludo’.
