Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 01 Apr 2014 16:38:43 +0100
From:      Matthew Seaman <matthew@freebsd.org>
To:        freebsd-ports@freebsd.org
Subject:   Re: Updating less-than-everything with poudriere & pkgng
Message-ID:  <533ADD83.7050903@freebsd.org>
In-Reply-To: <CABXB=RSgfe=nS=tTGd7kFQ4fcGASJCZYaZt9nPGCY=XnX9cTEA@mail.gmail.com>
References:  <CABXB=RSgfe=nS=tTGd7kFQ4fcGASJCZYaZt9nPGCY=XnX9cTEA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--37v1dS6bx54iCXXHIeFMtimK48U0PW6o5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 04/01/14 16:18, J David wrote:
> Consider a poudriere-generated pkgng repository with about 10,000
> packages in it.  Now, just because the FreeBSD ports collection is the
> way it is, about 8,000 of those packages are going to depend directly
> or indirectly on perl.
>=20
> Now suppose one of those 10,000 packages is foobar-1.2.2.  A security
> advisory is released, and it is now urgent to upgrade all the machines
> using this repository to foobar-1.2.3 ASAP.  But foobar-1.2.3 (like
> 7,999 of its brethren) depends on perl, and perl has also been updated
> from perl-5.12.3.4_5a to 5.12.3.4_5a1.
>=20
> What we want is to do a poudriere build that updates to foobar-1.2.3
> and rebuild anything that depends on foobar.
>=20
> But the first thing poudriere is going to do is whack perl-5.12.3.4_5a
> and all 8000 packages that depend on it.
>=20

This is why the quarterly branches exist.  2014Q1 (Just EoL'd) and
2014Q2 (just branched from head) will now get only security and port-fix
type upgrades for the next 3 months.  Therefore if your poudriere repo
had been tracking 2014Q1 it would probably not have had those perl
updates to deal with, but it would have had foobar-1.2.3 security fixes.

Of course, right about now, you get to have an upgrade frenzy applying 3
months worth of changes in one fell swoop, as there's the switchover
from 2014Q1 to 2014Q2 happening right now.

There's no way I know of to use poudriere to selectively update just
packages from the dependency tree involving foobar but not ones
involving perl.  So, yes, you'll end up with your package builder doing
a lot of building, and you will have a window of exposure while that is
happening.  About the only way I can think of to achieve that is to
apply selective updates to your ports tree that you have checked out of
SVN, which is a pain in the posterior and not always guarranteed to work
properly.

	Cheers,

	Matthew




--37v1dS6bx54iCXXHIeFMtimK48U0PW6o5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJTOt2KXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnIf8P+gJBzJv4QclQzCczWsenEVvO
CoCa95zNu8W2BEjBBSwA8Y/Lrj+hJuA2DxQuLtBLEqGlNhT3fmyKFx3g1PwjyMrN
IdNN5jh9Ms328R4XPRUIZsn1EW1KI/C6nVxqjgVaN1f3UGlBVh1coacF/z1JmU47
cOLIST9XGcV7muVlF4GD1m/gBUBJV9IXvcUvgnn7XpNQBbB4Un49CL7cg6Mzltp5
GNwfHk0WUp8jZAK/s4Kld/dk031050+C/skuYQkIZEUwy5bNRXOUe6fWObAae8Rh
wt2/vHIiCHwtkLB1w8gDWtnd0i+cMllaj2/A8BXuEue9Nn3oH8JFM2Hqy6SuM/5I
d9Zr3Bo65fOkvh+vnnyJXUI1lDDFIdoIClsoYnYEW+6MVv5vPB1y4zeESPDAkd0i
KGrFvTZuupyL8x3cMPAhMeqWiUY6B07qB7zg70sdH5iDXCDfIPhXnB01gCU6J8Ap
BGD1qo+mC0XI7TRCQWYGBElT5ltyxUz8lyCXXqp7vwL2DSJMrGFe24xRv7Xdd7f9
3gaug3F/2KcOE4pavXdTNzUEuKOMOKk9GP8J2DhC6+6RK/UzSjIr9J5S24nNaD8y
9pVbQW0120QNL2zQZ/qdzSKoI4hLM+4l0h5VLQCM7VUiElzcjQrbGljcf6ekTlEv
/eDIw6uM8nyzPV5w1wkC
=ZvHi
-----END PGP SIGNATURE-----

--37v1dS6bx54iCXXHIeFMtimK48U0PW6o5--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?533ADD83.7050903>