* On 2025-03-20 at 07:41 GMT, Havard Eidnes wrote:
Is this a bug? I think it is... Or is it simply a "limitation", and "you're not supposed to mix source and binary packages" (how else do you then deal with vulnerabilities like this in a timely manner?) If you think it's a bug, I can submit a PR, but I'd like some feedback beforehand.
It's a limitation. Installed packages must always be consistent with the remote repository, so yes, pkgin mostly ignores whether it's an upgrade or downgrade or refresh, the only thing it cares about is that the remote binary package is different, so it gets updated.
Packages occasionally do legitimately go backwards when it's found that the update was bad, so you can't just not update them.
Any other alternative (e.g. holding packages back, or allowing custom-built packages) will very quickly land you in trouble as dependencies get updated underneath them, however my users keep asking for it so it may be something I eventually implement but with dire warnings attached. It is _strongly_ recommended not to go down this path.
"How else do you then deal with vulnerabilities like this in a timely manner" is technically easy, you just have continuous bulk builds that churn out daily package updates as I've done for many years, but politically very very very hard.
-- Jonathan Perkin pkgsrc.smartos.org Open Source Complete Cloud www.tritondatacenter.com