Subject: Re: dependencies & security vulnerabilities
To: Malcolm Herbert <>
From: Greg Troxel <>
List: tech-pkg
Date: 08/01/2005 08:49:04
  I agree with the sentiment here, but how do you intend to distinguish
  between two versions of a particular pre-compiled package with the same
  version number where one is secure and the other not?

I'm 99.9% sure that

  Everyone thinks PKGREVISION++ is appropriate for the package
  for which a security fix is applied, because bumping PKGREVISION is
  appropriate for any significant change.  Certainly the version has
  to change so audit-packages can function properly.

  If a package's ABI changes, then PKGREVISION should be bumped in
  packages that depend on the package:

The issue at hand is whether to bump PKGREVISION for depending
packages when there is a security fix but no ABI change.

        Greg Troxel <>