* On 2025-03-20 at 08:00 GMT, Jonathan Perkin wrote:
* On 2025-03-20 at 07:41 GMT, Havard Eidnes wrote:Is this a bug? I think it is... Or is it simply a "limitation", and "you're not supposed to mix source and binary packages" (how else do you then deal with vulnerabilities like this in a timely manner?) If you think it's a bug, I can submit a PR, but I'd like some feedback beforehand.It's a limitation.
I forgot to mention. The recommended workaround that I tell my users who want to build e.g. a custom package that pkgin will ignore for updates is to change the PKGPATH, as then pkgin will consider the remote package to be a different package and will not replace it.
So for example in your case, do something like: cd security ln -s openssh openssh-he cd openssh-he bmake installas then PKGPATH=security/openssh-he. You can do similar tricks to hold a package, e.g. change PKGPATH in $PKG_DBDIR/<pkg>/+BUILD_INFO and 'pkgin -f update'.
Obviously incredibly hacky, and you get to keep both pieces when it breaks, but will achieve the required outcome.
-- Jonathan Perkin pkgsrc.smartos.org Open Source Complete Cloud www.tritondatacenter.com