[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openpkg-dev
Subject:    Re: Library dependencies
From:       Sławek_Żak <slawek.zak () gmail ! com>
Date:       2005-03-18 19:17:46
Message-ID: 787bbe1c05031811174597c672 () mail ! gmail ! com
[Download RAW message or body]

On Thu, 17 Mar 2005 20:20:06 +0100, Ralf S. Engelschall <rse@openpkg.org> wrote:
> On Thu, Mar 17, 2005, SÅ?awek Å»ak wrote:
> 
> > What was the motivation for adding library dependencies, when OpenPKG
> > is always using static linking. Upgrading i.e. OpenSSL when there is a
> > security bug found, won't make OpenSSH and others, non-vulnerable
> > automatically. A recompilation is needed. Build prerequisite is
> > enough. Can't these dependencies be removed? What is gained when they
> > are kept?
> 
> There are two points you have to keep in mind:
> 
> 1. Although RPM known both about build and run-time dependencies
>   in the package specification, it stores the build-time ones in the
>   .src.rpm and the run-time ones in the binary .rpm and the instance
>   database only. This means that a build/upgrade tool like "openpkg
>   build" has no chance to figure out the build-time dependencies of an
>   already existing package except to look into the index (but keep in
>   mind that the one in the index could be already different in version
>   from the one installed).

Hm. The process for upgrading should go like this IMHO:

Find me a new srpm with version higher than the installed. Having the
srpm find and resolve (build) all dependencies if requested. Install
the prerequisites and build me a package. Remove the prerequisites and
the package if I'm requesting a build only (separate buildhost/cluster
scenario).

> 2. Although we currently still use static library linking, once we want
>   to (optionally) also support shared library linking we would have add
>   to the run-time dependencies anyway.

That's a good point. Dependency upgrade will suffice if a library
itself is vulnerable/buggy.
 
> So, although we all do not find it rather elegant, we decided some time
> ago in the past to use both build- and run-time dependencies for all
> libraries.

Don't bother. I was just wondering.

Thanks for response, /S
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
Developer Communication List                   openpkg-dev@openpkg.org

[prev in list] [next in list] [prev in thread] [next in thread]