Subject: pkg/32779: pkgsrc "make update" removes packages inappropriately (IMHO!)
To: None <,,>
From: None <>
List: pkgsrc-bugs
Date: 02/09/2006 01:10:01
>Number:         32779
>Category:       pkg
>Synopsis:       pkgsrc "make update" removes packages inappropriately (IMHO!)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 09 01:10:01 +0000 2006
>Originator:     Anne Bennett
>Release:        3.0, pkgsrc as per CVS 2006-02-07
NetBSD 3.0 NetBSD 3.0 (QUILL_AMD64) #4: Mon Jan  2 17:33:19 EST 2006 amd64

Running "make update" in a package can end up removing a
package if no non-vulnerable version is currently available.
More annoyingly, since dependencies are followed, it can
end up removing additional packages as well, with all kinds
of unintended effects.
Type "make update" for a package for which a vulnerability
has been listed and downloaded as part of the result of
"download-vulnerability-list" (from security/audit-packages).
I think it would be helpful if the de-installation did not run
until and unless the "make" had completed successfully.

I hope that this can be addressed; I'm starting to be afraid to
pull a cvs update of packages and "make update", not because I
might get a failed make or unstable software, but because I'm never
sure what's going to be pulled out from under me.  :-(

Because of the following of dependencies, going "make && make update"
is not enough protection against unwanted package removal.