Subject: Re: The pkgsrc-2006Q1 branch
To: Anne Bennett <email@example.com>
From: Greg Troxel <firstname.lastname@example.org>
Date: 04/01/2006 20:41:04
(a) When audit-packages tells me that an installed package has a
vulnerability, what actions do you recommend that I perform
in reaction to that report? (Each package's web page states "If
you have a vulnerable package installed on any machine, you are
advised to remove the package immediately" - which is not
terrifically helpful in practice!)
(b) When I want to upgrade a particular package (for example because
I need its new functionality), how do you recommend that I do
this, bearing in mind that I have a lot of other software
installed and in use on the system?
These are very fair questions. They are difficult to answer for two
When packages are updated in pkgsrc, sometimes the ABI changes. To
be safe, this requires rebuilding all the depending packages.
pkgsrc supports building from source and also installing binary
packages. Getting the ABI dependencies right requires bumping the
revision (nbN), given the current schemes.
So, when updating pkgsrc from cvs, usually many packages will appear
to need rebuilding. A number of buildlink3 files will specify newer
required versions than are installed. Thus, using make update, one is
led to a very large amount of rebuilding. Presumably this is what you
I deal with this in two ways:
I almost exclusively use "make replace" rather than "make update".
This is unsafe, but works often, and requires far fewer rebuilds.
I use pkg_comp and pkg_chk to build all the package I need, and then
pkg_delete all packages, clean out remaining cruft, and then add the
newly built packages.
As to "do you have to reinstall all packages every 3 months", I'm
afraid the answer is yes, if you want to track a stable branch with
security maintenance. But, with pkg_chk, and pkg_comp or binaries
from ftp.netbsd.org, doing the update isn't so painful.
Greg Troxel <email@example.com>