current-users: Re: today's openssh version 3.7

Subject: Re: today's openssh version 3.7
To: William Allen Simpson <wsimpson@greendragon.com>
From: Frederick Bruckman <fredb@immanent.net>
List: current-users
Date: 09/19/2003 08:47:01

On Fri, 19 Sep 2003, William Allen Simpson wrote:

> Frederick Bruckman wrote:
> >
> > As far as timely maintenance in the face of a known security issue
> > goes, the package system pales in comparison to the base. From the
> > maintainer's point of view, in the base system, you just commit the
> > tiny fix to the code, while for pkgsrc, you have to deal with automake
> > or even crazier build systems, generate patches and PLISTS, and so on.
>
> But the package itself has been updated in the canonical source.  So,
> checking the patches can't be that bad.  Perhaps the package make
> system is too hard to use?

Perhaps... I look forward to the day when the new user can simply
install binary packages, and not be bothered with "pkgsrc". Observe
that the binary packages for "stable" software, that which has
remained unchanged for the last couple of years, work fine; it's just
that the binary package builders can't keep up with all the changes.
[Moral: don't release buggy software in the first place. ;-)]

> > >From the user's POV, the base system requires only a cvs update, build
> > and install,
>
> Then, you have 1,000 (10,000? 100,000?) folks like me waiting about 14
> hours for `cvs up`, compiling -current, discovering that the build fails,
> re-cvs (only about 7 hours this time), -u build, discover the flist is
> bad, re-cvs, -u distribution (still running at this moment)....

Your objection is entirely without basis, as to use pkgsrc as you
suggest requires one to use CVS as well.

By the time "chkflist" has failed, by the way, everything else is
done, and you could safely proceed to install the distribution you
made. The "make release" tarballs would be broken, of course.

> Never-the-less, I started this thread because (much to my surprise)
> debian took less than 2 minutes!  It's also easier!  And it scales!

Sure, we can learn from other package systems. There is a fundamental
difference between NetBSD and Debian though, and that is that NetBSD
pkgsrc is built on top of a base system that isn't made of packages.
There are certain advantages to that -- a third party can say, "This
software builds on NetBSD 1.6.1", without having to specify a
particular version of binutils, gcc, curses, XFree86, and so on.

Frederick