From owner-freebsd-ports@FreeBSD.ORG Tue Jun 16 15:34:55 2009 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5974106566C for ; Tue, 16 Jun 2009 15:34:55 +0000 (UTC) (envelope-from kamikaze@bsdforen.de) Received: from mail.bsdforen.de (bsdforen.de [212.204.60.79]) by mx1.freebsd.org (Postfix) with ESMTP id 83BBA8FC15 for ; Tue, 16 Jun 2009 15:34:55 +0000 (UTC) (envelope-from kamikaze@bsdforen.de) Received: from mobileKamikaze.norad (unknown [88.130.200.79]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.bsdforen.de (Postfix) with ESMTP id E44A08A0185; Tue, 16 Jun 2009 17:34:50 +0200 (CEST) Message-ID: <4A37BB97.8080405@bsdforen.de> Date: Tue, 16 Jun 2009 17:34:47 +0200 From: Dominic Fandrey User-Agent: Thunderbird 2.0.0.21 (X11/20090408) MIME-Version: 1.0 To: Mel Flynn References: <88733235@bb.ipt.ru> <4A36288D.2080402@bsdforen.de> <200906151009.19181.mel.flynn+fbsd.ports@mailing.thruhere.net> In-Reply-To: <200906151009.19181.mel.flynn+fbsd.ports@mailing.thruhere.net> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Boris Samorodov , freebsd-ports@freebsd.org Subject: Re: pkg_libchk: a missing library is not detected X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jun 2009 15:34:56 -0000 Mel Flynn wrote: > On Monday 15 June 2009 02:55:09 Dominic Fandrey wrote: >> Sorry for the late reply, this was auto-sorted into the ports@ mails >> and drowned there. >> >> Boris Samorodov wrote: > >>> As I understand pkg_upgrade does not preserve old libraries at >>> /usr/local/lib/compat? >> That's true. I consider this common approach a security risk. > > It is a service interruption to delete libraries that are still used and this > can also lead to security problems. > However, pkg_upgrade cannot ever hope to fix this problem, because the > buildservers do not unconditionally rebuild packages that mention the upgraded > port in LIB_DEPENDS, therefore it is better to leave these shared libraries > around. To me something not working seems to be less of a security problem than linking to a vulnerable library. >> To ensure that you get the newest packages wipe >> /usr/ports/packages/All. > > Erm, the download time associated with that approach doesn't really speed up > things, nor does it guarantee that you will have working binaries if the port > maintainer forgot to version bump a port. Well, you don't ever need them again after having them installed once, so I don't see the problem. And at least from pointyhead I've never head broken linking, even when the package was not version bumped, so I think there's some kind of human intervention, or I was lucky. Proper version bumping solves both problems, though and it is rarely forgotten lately. So the issue is much smaller, now than it would have been a couple of years ago. Also I do not see a way for my tool to handle this in any acceptable way. If you've got an idea, go ahead and tell me. I actually want to deal with as many problems as possible without user intervention. It's about making life easier, after all.