To: Todd Vierling <>
From: Jaromir Dolecek <>
List: tech-pkg
Date: 11/07/2004 21:20:37
Todd Vierling wrote:
> Yes.  This will mean that many folks won't get necessary security or other
> important fixes on a timely basis.

Arguably the software packaging system should not force users
to upgrade their systems unnecessarily. Security fixes are orthogonal
to software build requirements and I believe we should not be
bumping any depends for security-related fixes. That's what
audit-packages is for, which (countrary to pkgsrc) checks installed
packages too and not just stuff required for a build.

The way we currently do buildlink depends is not good, they are
bumped way too often, mostly just because single or just couple
other packages require the new version. Users are then forced to
update even when software they use doesn't actually require the
new version.

Anyway, back to RECOMMENDED - IMHO it should be opt-in. If user
wants to follow all the recommendations, then they enable it.
Default should be to use whatever satisfies requirements for the

Jaromir Dolecek <>  
-=- We should be mindful of the potential goal, but as the Buddhist -=-
-=- masters say, ``You may notice during meditation that you        -=-
-=- sometimes levitate or glow.   Do not let this distract you.''   -=-