tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

dependency explosion

Hi all,
I tried to build rrdtool the other day because freetype2 (which it depends on) has a vulnerability and I like fixing my daily insecurity reports.

I became a little bit concerned when "make package" started build various low level X libraries. My server isn't very quick, and even though I don't build on my production box, it still wasn't going to be quick. I turned off the X dependency and started the build again. This time it decided to build FAM.

I'm sure there are reasons why these dependencies are there, but if you tell someone that we need to have X libraries and FAM installed on a NetBSD web server in order to publish RRD graphs, they'll tell you that we have reached the absurdum in reductio ad absurdum. Unfortunately the package dependency tools haven't been as helpful as I would like. pkgdep doesn't seem to work right now, and pkgdepgraph works on installed package dependencies. If I can get a package dependency graph it might help find somewhere to conveniently prune the graph by switching off a default dependency.

Does anyone else really care? Those of us deploying systems into sensitive environments certainly value minimised installs rather than the Linux approach of everything except the stuff you need.

Lloyd Parkes
Senior Systems Programmer
Open Systems
Ph: +64 4 890 2437

Home | Main Index | Thread Index | Old Index