Darren J Moffat wrote:
If a security patch is available for a library,
> typing pkg install <lib> shouldn't result in that package being marked
> as intentionally installed. Thus, only the initial install of a
> package will typically set the user_installed value.
How will we know if it is a security patch ?
It was an example. To put it more simply, upgrading any package for any
reason doesn't signify user intent. Does that help make things clearer?
Brock
What if the security patch is actually a whole new revision and the
reason this particular user is installing is not because they want the
security fix but because they explicitly want the new version or just
this package but originally installed it as part of an incorporation ?
For example someone installed the "webstack" big wad of stuff.
A security fix for say PHP comes out but the latest version of PHP
that is in the repo is a minor version later than what we got when we
initially installed "webstack".
The user intent is to upgrade to PHP M.N so they run 'pkg install php'.
Lets also say that I now need PHP but don't need some other things in
webstack.
Where does this leave us ?
[ Please don't nit pick on wither or not webstack and PHP are good
examples here as I'm not aware of all the dependencies and interplay I
was just trying to pick a reasonably plausible case ].
The key thing here is that we can't actually tell if the user intent
was to install the security fix or install the new version.
How would we even determine what a security fix is ?
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
