netbsd-help: Re: How to upgrade a package that other packages depend on?

Subject: Re: How to upgrade a package that other packages depend on?
To: Dave Camp <dave@thinbits.com>
From: Harry Waddell <waddell@caravan.com>
List: netbsd-help
Date: 05/05/2004 22:00:18

On Wed, 5 May 2004 17:27:56 -0700
Dave Camp <dave@thinbits.com> wrote:

> On NetBSD 1.6, what is the correct way to go about upgrading a package 
> (building from source) that other packages depend on?
> 
> For example, I'm getting warnings about vulnerabilities in 
> openssl-0.9.6l, so I want to upgrade it to openssl-0.9.6m (or whatever 
> is the latest version).
> 
> 'make install' correctly tells me I need to do a 'pkg_delete' and a 
> 'make reinstall' to upgrade. However pkg-delete then tells me that 
> bind9 depends on openssl, so it can't be safely deleted. Obviously I 
> don't want to hose my bind setup...
> 
> What is the correct (and hopefully least painful) way to solve problems 
> like this? I've looked through the online docs and I can't seem to find 
> a good answer for this...
> 
> Thanks,
> Dave

I guess it depends on how import the systems, and it's availability, are to
you. For my workstation and notebook,  I'd just do a "make update" in
pkgsrc/security/openssl, but for a production server that must be available
as much as feasibly possible, I do this:

1. install pkg_chk and use the -g option to create a pkgsrc/pkgchk.conf
file. 

2. create a chrooted build env using src/build.sh. copy other files from
/etc as needed to make it functional.

3. populate /usr/pkgsrc in the chrooted env. copy pkgsrc/pkgchk.conf to
chrooted dir. add DEPENDS_TARGET=package to the chrooted etc/mk.conf.

4. use pkg_tarup to make binary packages of your installed software. copy to
/usr/pkgsrc/packages/All in the chrooted env.

5. chroot to the chrooted dir. pkg_chk -a -b will install the binary
packages that are current. pkg_chk -a -s to build the missing, obsolete
software. 

6. update /usr/pkgsrc/packages/All with the new binary packages from the
chrooted pkgsrc.

7. exit the chrooted dir. cd /usr/pkgsrc. pkg_chk -i -r to delete the old
stuff, pkg_chk -a to add the new stuff. Either reboot, or restart the
affected packages.

This is far from the easiest way to do things, but it's very fast and very
safe because you always update your pkgs using a complete set of binaries. 
A make update in place takes longer becuase you have to wait for the stuff
to build, and if something fails, it is hard to recover. I build all my
packages for my production systems this way. I believe there are tools in
pkgsrc that will make it easier to perform a chrooted build, but I've never
used them.

-- 
Harry Waddell
Caravan Electronic Publishing
-----------