On Thu, Mar 17, 2005, SÅ?awek Å»ak wrote:
> What was the motivation for adding library dependencies, when OpenPKG
> is always using static linking. Upgrading i.e. OpenSSL when there is a
> security bug found, won't make OpenSSH and others, non-vulnerable
> automatically. A recompilation is needed. Build prerequisite is
> enough. Can't these dependencies be removed? What is gained when they
> are kept?
There are two points you have to keep in mind:
1. Although RPM known both about build and run-time dependencies
in the package specification, it stores the build-time ones in the
.src.rpm and the run-time ones in the binary .rpm and the instance
database only. This means that a build/upgrade tool like "openpkg
build" has no chance to figure out the build-time dependencies of an
already existing package except to look into the index (but keep in
mind that the one in the index could be already different in version
from the one installed).
2. Although we currently still use static library linking, once we want
to (optionally) also support shared library linking we would have add
to the run-time dependencies anyway.
So, although we all do not find it rather elegant, we decided some time
ago in the past to use both build- and run-time dependencies for all
libraries.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
The OpenPKG Project www.openpkg.org
Developer Communication List openpkg-dev@openpkg.org
