see https://bugs.mageia.org/show_bug.cgi?id=2317
in short: I've provided a patch which does this, but there is discussion about it. Since the patch seems to indicate a change of behavior, people there requested this be mailed to -dev ML. so, it's about having new dependencies when you're doing updates and those dependencies are not in the update media. The way I see it, there 2 opinions: A. fetch dependencies only from enabled release/update repositories Problems: - patch doesn't exist yet and code complexity is alot higher - if backports are enabled, a dependency fetched from release could conflict with other installed (from backports or other). thus the update would fail. Solutions for this: - this is not cleanly solvable, we would have to remove the backport. B. fetch dependencies only from enabled repositories Problems: - if backports are enabled, dependencies could come from backports instead of release. Solutions for this: - this can be prevented in various ways: even as simple as the backport packager to bump an update with stricter requires so that the backport wouldn't be fetched (_IF_ it indeed would be incompatible) AND the update could have stricter requires for that new dependency. IMHO, it's very simple: we should choose B because if you have backports enabled, you'd want the backport to be pulled for new dependency (IF it doesn't conflict). (in the above i state backports, but it could be any enabled repository, like testing, or even 3rd party repos.) In short, we shouldn't be thinking of cherrypicking backports, and if users are trusting repositories, we should be using them. since QA is waiting for a fix for this for a long time (pre-mga1), we should get this fixed asap. PS: since we're enabling backports, we should make sure that the update validation process would have one of both required tests for validation with backports enabled and the other disabled.
