On 09/01/2004, at 2:24 AM, Thomas Klausner wrote:

>>> So it is only changed if _all_ dependent packages need
>>> a newer version?
>>
>>   Well, I'd replace all by "a majority of", but yes,
>> that's the idea.
>
> Ok, but we should make tools to find out when such a time
> comes for those that don't switch all at once.

   I think this is less of a problem in practice then it
sounds here.  Typically, when the API changes drastically,
you have a "majority of" (probably an "all of") case, in
which case you can switch the BUILDLINK_DEPENDS immediately.

   The case where a creeping number of dependent packages
will require a newer version is probably the exception.

   But yes, a script might be nice that detects such cases!

> And we should make clear that older libraries than the one
> currently in pkgsrc are _not supported_.

   Yes, that should be documented.

> So we should make it even more recommended to have
> audit-packages installed.

   Yes, that's a good idea.

> Perhaps even mandatory?

   Perhaps not mandatory, but maybe the default.  I.e.,
automatically install audit-packages (similar to 'digest'
and the like) unless ALLOW_VULNERABLE_PACKAGES is set.

> Which remindes me:  The bulk build code should report failure if
> it finds the variable set.

   Okay, I'll try to inject this into the bulk building
code ...

> Also, if the recommended version is overridden, that should be
> marked in the binary package too, perhaps as a BUILD_DEF; and
> pkg_add should warn when it finds it.

   Good idea!

   Cheers
       ,
    Rene