pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: The pkgsrc-2006Q1 branch
Anne Bennett wrote:
But I think that the mental model for the system administration of
pkgsrc needs to be reviewed, or perhaps simply communicated more
clearly (I'll be embarrassed if this is on a web page somewhere, but
if so, I haven't seen it yet). In that spirit, I'd like to ask the
designers of the pkg system:
(a) When audit-packages tells me that an installed package has a
vulnerability, what actions do you recommend that I perform
in reaction to that report? (Each package's web page states "If
you have a vulnerable package installed on any machine, you are
advised to remove the package immediately" - which is not
terrifically helpful in practice!)
As a long-time pkgsrc user and friend of a netbsd developer, here's what
I've come to believe about this problem:
1. pkgsrc and/or netbsd and/or the developers of either don't have an
answer to that question. I think the mental model is: "pkgsrc is
there to help automate the installation and upgrade of other
people's software. It's a convenience, but it doesn't fix the
underlying software maintenance/upgrade issues associated with
multiple installed pieces of software that all depend on each
other. That problem continues to exist, even in pkgsrc." Looked
at that way, I understand the issue. It's not their fault that
the developer(s) of software system X bumped the version number of
a dependency package that is a widely-used package that everything
else depends on, etc. That's just a real-life problem with all
software on all OSes, and pkgsrc doesn't fix it.
2. The pkgsrc maintainers don't have time to manage this issue for
all the software in pkgsrc. It would be an enormous job, and
they'd be slaves to the decisions of all the external software
vendors.
3. You'll notice that the netbsd devs *do* manage this issue with the
netbsd core software. Per your comments, they do a good job of
sending detailed instructions about exactly what you should do
when core software needs to be upgraded. In this case, they *are*
managing the dependency issue for you.
4. This problem is therefore the full responsibility of the local
system admin (i.e. you) to sort out, just as if you weren't using
pkgsrc. Crappy I know :)
(b) When I want to upgrade a particular package (for example because
I need its new functionality), how do you recommend that I do
this, bearing in mind that I have a lot of other software
installed and in use on the system?
There interesting part, now, is that there are semi-viable ways to get
what you want, but I'm not totally clear on either. My netbsd-developer
friend (schmonz) is acting as my surrogate beta-tester for these, and
I've been hoping that he has good results. They are:
1. pkg_views, for packages that support it. My understanding is that
pkg_views is a way for multiple versions of the same software to
be semi-transparently installed on the same machine. It seems
complex to configure, but then (I think) easy to use. But all
packages don't support pkg_views, and there has been recent
discussion on this thread about taking it out (!!!). I haven't
yet tried it.
2. pkg_comp, which I've only recently found about (through schmonz).
The idea there is that the entire installed-package dependency
tree can be rebuilt in a "chrooted" environment, so that if it
fails, nothing is left partially-upgraded or uninstalled, etc.
Essentially, "build everything first, and then if that succeeds,
install it." This seems like a golden solution, if it works well.
1. But it won't fix the core problem that sometimes there just
isn't a configuration that works: php may not work with the
latest version of libver, but you need the latest version
for apache to work, so you can't have both. If that's true,
you're just not going to be able to have a self-consistent
system without using older versions of the software, until
the developers fix it. Theoretically, though pkg_views
could fix that for you :)
Good luck!
Home |
Main Index |
Thread Index |
Old Index