On 03/09/2017 10:36 AM, William Hubbs wrote:
> On Wed, Mar 08, 2017 at 07:49:08PM -0500, Michael Orlitzky wrote:
>> On 03/08/2017 02:20 PM, William Hubbs wrote:
>>>
>>> Another option is to not force this and rely on everyone to use
>>> --with-bdeps=y to make the rebuild happen.
>>>
>>
>> That feature is portage-only. Slot operator deps in DEPEND are meaningless.
>
> Having things in RDEPEND that are only used at build time is also incorrect.
I was not implying that you have to pick one of the two wrong solutions
and implement it =)
The attractive options at this point are,
1. Do nothing.
2. Work with the PMS team to come up with a solution for the problem.
The other proposed solutions don't work:
* Using RDEPEND is semantically incorrect, and runs afoul of the PMS
because the packages don't break when their dependencies change.
* Using slot operator deps in DEPEND is meaningless, and only happens
to do what you want in portage when --with-bdeps is enabled.
Going forward with either one of those only digs us deeper into the hole
we're already in.
"How do we update insecure libraries?" would have been a good question
to ask *before* adding Go to the tree, because the answer is pretty
clearly "we can't." The right way to fix it now is to create a new class
of dependencies for the CADT languages that ignore the last 40 years of
experience and statically link everything.
