On Sat, 9 Oct 2004, Thor Lancelot Simon wrote:

> The first is that package Makefiles are often updated to require whatever
> version of a dependency the updating developer happens to be working with,
> even though there's no difference that would actually make the package,
> rebuilt from source with the older version of the dependency, not work.
>
> Obviously getting this right for the *binary* case is hard but we could
> be a little more careful to not cause needless dependency rebuilds in the
> source case.

That's the reason RECOMMENDED and BUILDLINK_RECOMMENDED exist.

In the buildlink3 framework, the BUILDLINK_DEPENDS line for a dependency
should list the earliest security-friendly, compatible version that could be
used, while BUILDLINK_RECOMMENDED should list the earliest version which
would not alter the binary form of the calling package (which is always >=
BUILDLINK_DEPENDS).  The package builder can choose whether or not to
require the higher numbered versions in BUILDLINK_RECOMMENDED with a switch,
IGNORE_RECOMMENDED.

Whether or not this is done "correctly" (wrt when is the right time to bump)
is still debateable, partly because *RECOMMENDED is relatively new and not
well understood by all the pkgsrc developers.  There's also many packages
not yet bl3-ified, and many more which never had a BUILDLINK_RECOMMENDED
setting until the libtool overhaul.

> A related problem, though, is that sometimes the opposite mistake is
> made -- look at the ap_perl package, where the binary package gets only,
> say, perl5 >= perl5.8.3 built into it, because that's what the Makefile
> had; but in fact, the built binary will depend on the later version
> that it was actually linked with, so when you install it on a system
> that _actually_ has 5.8.3, it doesn't work.

Again, this is where BUILDLINK_RECOMMENDED steps in (or to be more precise,
plain RECOMMENDED, since perl's dependency is in bsd.pkg.mk).  It should
list the earliest perl version that is ABI compatible with the "current"
perl version.  This is not currently being done.

> I think it would make sense to be a little more careful about recording
> higher dependency versions than necessary in Makefiles, but also to record
> the dependency in the *built binary package* as the actual version linked
> with, or higher, not the dependency version given in the Makefile.

That's actually the point of @blddep, which already exists in +CONTENTS, but
I don't think it is used to this extent just yet.  (It currently lists an
explicit version, not a dewey, and is not enforced.)

-- 
-- Todd Vierling <tv@duh.org> <tv@pobox.com>