On Tue, Jun 10, 2003, Ralf S. Engelschall wrote:
> > The PreReq dependency is required to trigger rebuilds because this
> > is the only kind stored by rpm in the package database. The BuildPreReq
> > information is lost.
>
> But one can argue that it is just fair that RPM throws this info away
> now (after installing) it is no longer required for it.
You can only guess about the reasoning behind RPM, after all the PreReq
conditions are not exactly the right information either.
RPM implements a much more powerful (but also informal and error-prone)
mechanism to describe other kinds of dependencies, including the
"need-to-rebuild" which is triggers. Something we, safely, do not use.
> > Index information cannot be used as a substitute because it is only
> > valid for packages in the repository which often do have dependencies
> > different from installed packages.
>
> Can you provide more details or an example? I'm not sure whether
> I understand this correctly.
program A requires library B.
program A is upgraded in the repository to use its own implementation C.
library B is upgraded in the repository. Let's say a security issue.
Users will upgrade library B but will not rebuild program A which
no longer depends on library B _in the repository_. However, they are
still using the older version of program A which still contains the
vulnerable version of library B.
Now you could say that security advisories will catch this, but if
this is not security relevant, but "just" a bugfix I don't think that
we will tell every user that there is a hidden dependency.
--
,eM""=. a"-. Michael van Elst
dWWMWM" - :GM==; [EMAIL PROTECTED]
:WWMWMw=--. "W=' cable & wireless
9WWMm==-.
"-Wmw-" CABLE & WIRELESS
______________________________________________________________________
The OpenPKG Project www.openpkg.org
Developer Communication List [EMAIL PROTECTED]
