On 19/05/2008, Ian Lynagh <[EMAIL PROTECTED]> wrote: > On Mon, May 19, 2008 at 02:41:57PM +0200, Michal Suchanek wrote: > > > > Is the problem with source dependencies resolved already? > > > > Last time I tried to build something the build dependencies were exact > > (= something) which is very bad for users who try to build anything, > > and I read some discussion earlier on this list where it was pointed > > out that this is unacceptable for security as well. > > > No-one has yet convinced me that any other scheme would be better. > > Exact dependencies make security fixes much easier to get right, as you > don't have to worry about building against an older version of a package > and getting the security bug cross-module-inlined. > > I have a mail somewhere describing a README.Source standard (or > similar), which I intend to do in my next uploads. That should make it > easier for users rebuilding, backporters, etc. >
As it is the sources require exact version of their dependencies so any update (security or otherwise) requires to release a new revision of sources for every package that depends on the updated one, and once that happens the new sources are built to get new binaries. If the exact versioning happened only in binaries then releasing an updated package would require rebuilding all the packages that depend on it. As there is already a policy for this in Debian that requires that the release of the rebuilt package changes you get pretty much the same result but spare some bandwidth and headaches because new sources for everything do not have to be distributed. The latter scenario can fail if the user has a stack of locally built packages for which the revision would not change if they are rebuilt. But then you have very little control over that setup anyway. Plus the users should be aware that they should rebuild everything when a library is updated - perhaps a good thing to also put into a readme. The scripts for generating binary packages could be possibly changed to make sure that the revision of the binary package changes whenever it is built against different dependencies (encode the revision of the dependencies in the package revision somehow). But this could get messy and is probably not worth the effort. Thanks Michal _______________________________________________ debian-haskell mailing list [email protected] http://urchin.earth.li/mailman/listinfo/debian-haskell
