On Thu, 23 Mar 2006, Johnny Lam wrote:

> If we're going down this route, I want us (pkgsrc) to be very explicit 
> about what it means to have a package "depend" on another package.  Are 
> we saying that a dependency is the minimum package needed to satisfy a 
> requirement?  Or we are saying that it's the minimum, *non-vulnerable* 
> package needed to satisfy a requirement?  I simply don't think the 
> latter is a good definition.  You won't find that definition anywhere in 
> software READMEs ("requires zlib>=1.0, but make sure you use a 
> non-vulnerable version of zlib!").  Let's just have dependencies have 
> their usual meanings, and stop (ab)using them for security reasons.

Could we also try to record when it is save to rebuild and install
a package without rebuilding the packages that require it,
so that "make replace" is no longer experimental and could be applied
automatically during a recursive "make update" if the dependencies
allow for it?

Joachim