[prev in list] [next in list] [prev in thread] [next in thread]
List: openpkg-dev
Subject: Re: Library dependencies
From: Sławek_Żak <slawek.zak () gmail ! com>
Date: 2005-03-18 19:17:46
Message-ID: 787bbe1c05031811174597c672 () mail ! gmail ! com
[Download RAW message or body]
On Thu, 17 Mar 2005 20:20:06 +0100, Ralf S. Engelschall <rse@openpkg.org> wrote:
> On Thu, Mar 17, 2005, SÅ?awek Å»ak wrote:
>
> > What was the motivation for adding library dependencies, when OpenPKG
> > is always using static linking. Upgrading i.e. OpenSSL when there is a
> > security bug found, won't make OpenSSH and others, non-vulnerable
> > automatically. A recompilation is needed. Build prerequisite is
> > enough. Can't these dependencies be removed? What is gained when they
> > are kept?
>
> There are two points you have to keep in mind:
>
> 1. Although RPM known both about build and run-time dependencies
> in the package specification, it stores the build-time ones in the
> .src.rpm and the run-time ones in the binary .rpm and the instance
> database only. This means that a build/upgrade tool like "openpkg
> build" has no chance to figure out the build-time dependencies of an
> already existing package except to look into the index (but keep in
> mind that the one in the index could be already different in version
> from the one installed).
Hm. The process for upgrading should go like this IMHO:
Find me a new srpm with version higher than the installed. Having the
srpm find and resolve (build) all dependencies if requested. Install
the prerequisites and build me a package. Remove the prerequisites and
the package if I'm requesting a build only (separate buildhost/cluster
scenario).
> 2. Although we currently still use static library linking, once we want
> to (optionally) also support shared library linking we would have add
> to the run-time dependencies anyway.
That's a good point. Dependency upgrade will suffice if a library
itself is vulnerable/buggy.
> So, although we all do not find it rather elegant, we decided some time
> ago in the past to use both build- and run-time dependencies for all
> libraries.
Don't bother. I was just wondering.
Thanks for response, /S
______________________________________________________________________
The OpenPKG Project www.openpkg.org
Developer Communication List openpkg-dev@openpkg.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic