Subject: pkg/32779: pkgsrc "make update" removes packages inappropriately (IMHO!)
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <anne@porcupine.montreal.qc.ca>
List: pkgsrc-bugs
Date: 02/09/2006 01:10:01
>Number: 32779
>Category: pkg
>Synopsis: pkgsrc "make update" removes packages inappropriately (IMHO!)
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Thu Feb 09 01:10:01 +0000 2006
>Originator: Anne Bennett
>Release: 3.0, pkgsrc as per CVS 2006-02-07
>Organization:
>Environment:
NetBSD quill.porcupine.montreal.qc.ca 3.0 NetBSD 3.0 (QUILL_AMD64) #4: Mon Jan 2 17:33:19 EST 2006 root@newquill.porcupine.montreal.qc.ca:/disks/nobak/netbsd/netbsd-3.0/src/sys/arch/amd64/compile/QUILL_AMD64 amd64
>Description:
Running "make update" in a package can end up removing a
package if no non-vulnerable version is currently available.
More annoyingly, since dependencies are followed, it can
end up removing additional packages as well, with all kinds
of unintended effects.
>How-To-Repeat:
Type "make update" for a package for which a vulnerability
has been listed and downloaded as part of the result of
"download-vulnerability-list" (from security/audit-packages).
>Fix:
I think it would be helpful if the de-installation did not run
until and unless the "make" had completed successfully.
I hope that this can be addressed; I'm starting to be afraid to
pull a cvs update of packages and "make update", not because I
might get a failed make or unstable software, but because I'm never
sure what's going to be pulled out from under me. :-(
Because of the following of dependencies, going "make && make update"
is not enough protection against unwanted package removal.