Subject: pkg/32779: pkgsrc "make update" removes packages inappropriately (IMHO!)
To: None <firstname.lastname@example.org, email@example.com,>
From: None <firstname.lastname@example.org>
Date: 02/09/2006 01:10:01
>Synopsis: pkgsrc "make update" removes packages inappropriately (IMHO!)
>Arrival-Date: Thu Feb 09 01:10:01 +0000 2006
>Originator: Anne Bennett
>Release: 3.0, pkgsrc as per CVS 2006-02-07
NetBSD quill.porcupine.montreal.qc.ca 3.0 NetBSD 3.0 (QUILL_AMD64) #4: Mon Jan 2 17:33:19 EST 2006 email@example.com:/disks/nobak/netbsd/netbsd-3.0/src/sys/arch/amd64/compile/QUILL_AMD64 amd64
Running "make update" in a package can end up removing a
package if no non-vulnerable version is currently available.
More annoyingly, since dependencies are followed, it can
end up removing additional packages as well, with all kinds
of unintended effects.
Type "make update" for a package for which a vulnerability
has been listed and downloaded as part of the result of
"download-vulnerability-list" (from security/audit-packages).
I think it would be helpful if the de-installation did not run
until and unless the "make" had completed successfully.
I hope that this can be addressed; I'm starting to be afraid to
pull a cvs update of packages and "make update", not because I
might get a failed make or unstable software, but because I'm never
sure what's going to be pulled out from under me. :-(
Because of the following of dependencies, going "make && make update"
is not enough protection against unwanted package removal.