On Thu, 17 Mar 2005 20:20:06 +0100, Ralf S. Engelschall <[EMAIL PROTECTED]> wrote: > On Thu, Mar 17, 2005, SÅ?awek Å»ak wrote: > > > What was the motivation for adding library dependencies, when OpenPKG > > is always using static linking. Upgrading i.e. OpenSSL when there is a > > security bug found, won't make OpenSSH and others, non-vulnerable > > automatically. A recompilation is needed. Build prerequisite is > > enough. Can't these dependencies be removed? What is gained when they > > are kept? > > There are two points you have to keep in mind: > > 1. Although RPM known both about build and run-time dependencies > in the package specification, it stores the build-time ones in the > .src.rpm and the run-time ones in the binary .rpm and the instance > database only. This means that a build/upgrade tool like "openpkg > build" has no chance to figure out the build-time dependencies of an > already existing package except to look into the index (but keep in > mind that the one in the index could be already different in version > from the one installed).
Hm. The process for upgrading should go like this IMHO: Find me a new srpm with version higher than the installed. Having the srpm find and resolve (build) all dependencies if requested. Install the prerequisites and build me a package. Remove the prerequisites and the package if I'm requesting a build only (separate buildhost/cluster scenario). > 2. Although we currently still use static library linking, once we want > to (optionally) also support shared library linking we would have add > to the run-time dependencies anyway. That's a good point. Dependency upgrade will suffice if a library itself is vulnerable/buggy. > So, although we all do not find it rather elegant, we decided some time > ago in the past to use both build- and run-time dependencies for all > libraries. Don't bother. I was just wondering. Thanks for response, /S ______________________________________________________________________ The OpenPKG Project www.openpkg.org Developer Communication List openpkg-dev@openpkg.org
