On Fri, Nov 16, 2001 at 01:57:55PM -0800, Jeremy C. Reed wrote:
> I don't understand. Can you explain?
> 
> What if it has some different version number?
> 
> >From my 1.4.2:
> 
>  $ grep openssh /var/db/pkg/*/+REQUIRED_BY
>  /var/db/pkg/openssl-0.9.4/+REQUIRED_BY:openssh-1.2.2
>  /var/db/pkg/perl-5.00404/+REQUIRED_BY:openssh-1.2.2
>  $ pkg_info -R openssh
>  Information for openssh-1.2.2:

Well, you openssh depends on perl-5.00404 and openssl-0.9.4.
On current pkgsrc perl is only a build depend (so we don't need it
for a binary package) but it depends on openssl openssl-0.9.6.
We have openssl-0.9.5a on the ftp server. If we remplace openssl-0.9.5a with
openssl-0.9.6, all 1.4.2 packages build against openssl-0.9.5a needs to be
rebuild against 0.9.6, which may show other dependancies too ...

The best way would be to do a bulk build on 1.4.3 and upload it in place
of the 1.4.2 packages we have today. But I'm not sure I've got all the
implications of this yet.

The problem of updating binary packages for security fixes have been
discussed at last one time on tech-pkg. No good solutions have been
found yet.

--
Manuel Bouyer <bouyer@antioche.eu.org>
--