tech-pkg: Re: BUILDLINK

Subject: Re: BUILDLINK_DEPENDS.expat
To: None <tech-pkg@NetBSD.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-pkg
Date: 03/23/2006 10:08:12
I am replying to multiple emails here. I also carbon-copied Rene on this 
since he committed this code for "recommended for security or library ABI 
consistency reasons".

On Thu, 23 Mar 2006, Todd Vierling wrote:

> > >   ... This [BUILDLINK_DEPENDS] variable should be set to the first version
> > > of the package that had the last change in the major number of a shared
> > > library or that had a major API change.
> 
> This makes no sense.  Why would we set RECOMMENDED at all in this case...?

I was just reporting was the documentation says. At least I know why I was 
doing it wrong :)

RECOMMENDED could be used for minor changes when the maintainer 
"recommends" you use the new version. (But that is not important to me.)

On Thu, 23 Mar 2006, Johnny Lam wrote:

> 	BUILDLINK_DEPENDS.*	-> BUILDLINK_API_DEPENDS.*
> 	BUILDLINK_RECOMMENDED.*	-> BUILDLINK_ABI_DEPENDS.*
> 
> As far as I can tell, buildlink is the only existing user for the RECOMMENDED
> processing in bsd.pkg.mk, so I think we should get rid of it and handle the
> BUILDLINK_{API,ABI}_DEPENDS.* directly in the buildlink framework.  Then I
> would rename:
> 
> 	IGNORE_RECOMMENDED	-> IGNORE_ABI_DEPENDS
> 
> And add documentation that setting IGNORE_ABI_DEPENDS means you're managing
> those types of dependencies on your own.

This sounds good. It will make it more clear. I can do this work (and 
documentation) and commit in April.

On Thu, 23 Mar 2006, Johnny Lam wrote:

> I don't think having a "security" depends is a good idea, and I would rather
> see the practice of bumping dependencies for security-related reasons go away.
> We should manage security-related issues externally instead of shoehorning
> them into a package dependency graph.

I also do not like the idea of bumping RECOMMENDED for each security fix. 
That is one reason someone may choose to use IGNORE_RECOMMENDED, but the 
Todd's suggested BUILDLINK_SECURITY_DEPENDS and a corresponding 
IGNORE_SECURITY_DEPENDS could fix that.

I think audit-packages is good enough. But having a 
BUILDLINK_SECURITY_DEPENDS/IGNORE_SECURITY_DEPENDS might be good to 
automatically encourage security updates. Maybe IGNORE_SECURITY_DEPENDS 
could be disabled by default?

I know we have had at least one advocate for bumping the 
BUILDLINK_RECOMMENDED for security updates, so I will wait for others' 
thoughts on this.

 Jeremy C. Reed

echo ':6DB6=88>?;@69876tA=AC8BB5tA6487><' | tr '4-F' 'wu rofIn.lkigemca'