Helge Kreutzmann wrote: > Package: kdelibs3 > Version: 4:2.2.2-13.woody.12 > Severity: normal > > I just wanted to apply the latest security update for kdelibs (DSA 631-1), > I was quite astonished, when I got > The following NEW packages will be installed: > libarts libglib2.0-0 > > I was under the impression, that security updates should only change > the minimum possible. DSA 631-1 I did not list any notice regarding new > dependencies. > > I compared the dependencies of -13.woody.12 (Installed as of this writing) > and -13.woody.13 which is supposed to be the security update. I see, that > two new dependencies have been added: > libarts (>= 4:2.2.2-1) | libarts-alsa (>= 4:2.2.2-1) > libglib2.0-0 (>= 2.0.1) > > If these are indeed security-related changes, than they should be mentioned > in the DSA. > > I downloaded the deb next and looked at the changelog. It states: > * Non-maintainer upload by the Security Team > * Applied upstream patch to fix arbitrary FTP command execution > [kio/ftp/ftp.cc, CAN-2004-1165] > > Again, no mentioning of changed dependencies. I now really start to wonder > what has happened.
Broken build dependency/conflict definition. I don't know what has introduced this dependency. However, since at least libarts* are also in the suggests field, it shouldn't pose a problem. libarts was installed on the i386 build system. Maybe that's how the dependency was introduced. It's not declared as a build-conflict, and hence not removed before the build. Regards, Joey PS: Please use X-Debbugs-Cc next time so I don't have to dig out the bugnr on my own. -- The only stupid question is the unasked one. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]