On 2018/09/25 16:50, Sebastien Marie wrote: > On Mon, Sep 24, 2018 at 09:20:34PM +0100, Stuart Henderson wrote: > > On 2018/09/24 09:04, Sebastien Marie wrote: > > > Hi, > > > > > > Here an update for lang/rust 1.29.1. > > > > > > It is a security update (only -current is affected). > > > > Hi, I'm wondering if we need to bump REVISION for ports built with rust > > (firefox, librsvg, etc) to ensure that they're updated for people running > > pkg_add -u? > > > > At first stance, I thought rust would be part of the signature and so > packages will update "themself". But after checking, I think you are > right. > > lang/rust is a BUILD_DEPENDS, and if programs uses code from the Rust > libstd, the code will be statically compiled in the binary. So it isn't > part of the signature. > > $ PKG_PATH=cdn.openbsd.org pkg_info -S librsvg-2.44.3 > Information for > http://cdn.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/librsvg-2.44.3.tgz > > Signature: > librsvg-2.44.3,0,@gdk-pixbuf-2.36.12,@libcroco-0.6.12,@libxml-2.9.8p0,@pango-1.42.4,X11.16.1,Xext.13.0,Xrender.6.0,c.92.5,cairo.13.0,croco-0.6.4.0,expat.12.0,ffi.1.2,fontconfig.12.0,freetype.29.0,fribidi.3.0,gdk_pixbuf-2.0.3200.1,gio-2.0.4200.7,glib-2.0.4201.0,gmodule-2.0.4200.7,gobject-2.0.4200.7,graphite2.2.0,gthread-2.0.4200.7,harfbuzz.12.1,iconv.6.0,intl.6.0,lzma.2.1,m.10.1,pango-1.0.3800.2,pangocairo-1.0.3800.1,pangoft2-1.0.3800.1,pcre.3.0,pixman-1.32.6,png.17.5,pthread.25.1,xcb-render.1.1,xcb-shm.1.1,xcb.4.0,xml2.16.1,z.5.0 > > Does it exists a way in ports infrastructure to add such 'fake' dependency > to trigger a signature change ? > > A possible way could be: > - having a sub-package -libstd on lang/rust (which would be empty or almost) > - add RUN_DEPENDS+=lang/rust,-libstd to port using rustc > > when lang/rust is updated, the subpackage rust-libstd will automatically > crank, and so the signature of packages with RUN_DEPENDS will change, > and pkg_add -u will update. Does it make sens ? The drawback would be to > manually maintain the RUN_DEPENDS, but it is low overhead and one-time > only.
This would work, it feels a little 'dirty' but not too bad. There's a similar problem in lang/go fwiw. If this is done via RUN_DEPENDS, then PKGSPEC can be used to force updates when needed, without having to bump dependent ports. But for the immediate case, just bumping them makes sense for now, I don't think we'll have time for anything more complex.
