From owner-freebsd-questions@FreeBSD.ORG Thu Apr 3 17:52:06 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A49B1595; Thu, 3 Apr 2014 17:52:06 +0000 (UTC) Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48E76B36; Thu, 3 Apr 2014 17:52:06 +0000 (UTC) Received: by mail-ie0-f172.google.com with SMTP id as1so2224803iec.3 for ; Thu, 03 Apr 2014 10:52:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=3uwT37zFKEGRLK9UU72EZnGO/WKmySzU+yLOPVLS9js=; b=nLZPDncqiCizR4TFNq4QA7j1HxWeWiIoT5yGaDkhfrp7dEu/vRlx+l63pm7c7vvGrZ fqPba5DemkmJ1q0GS7DfZXNKqhZ4rglFFYS8xCpzvZwnrd2EPVIWcn5JZODInDYMkrYp F+U0JaCCu8wct8EAoafmjBDoYMeSHR0F/ZlO/iBc/HAVt58s1/0A81FrwJ69MpF78bJA DaCYRLFPBtDVZLIfj/OzzsqhF7Mdjal7MvCM5BQJN1a5Py3NztraiOnohxnDpvEZMGbH e9RLgJos6eF4sROxx1p8azz6BQP9w976x6QUa7mIW8t8iNL6oCb6mUqwSVT/MnGHr+eD eCwA== MIME-Version: 1.0 X-Received: by 10.50.131.130 with SMTP id om2mr17068869igb.25.1396547525569; Thu, 03 Apr 2014 10:52:05 -0700 (PDT) Sender: jdavidlists@gmail.com Received: by 10.42.238.77 with HTTP; Thu, 3 Apr 2014 10:52:05 -0700 (PDT) In-Reply-To: <891ACB1137F7FAFFFFAF9A3A@ogg.in.absolight.net> References: <91FF893BBE05EEFA2894EED9@atuin.in.mat.cc> <891ACB1137F7FAFFFFAF9A3A@ogg.in.absolight.net> Date: Thu, 3 Apr 2014 13:52:05 -0400 X-Google-Sender-Auth: 0_3CRgcegk7mtu4PJONO7UPUowQ Message-ID: Subject: Re: Updating less-than-everything with poudriere & pkgng From: J David To: Mathieu Arnold Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org, freebsd-ports@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 17:52:06 -0000 On Thu, Apr 3, 2014 at 11:36 AM, Mathieu Arnold wrote: > Something built for perl 5.14.0 will work with perl 5.14.5.a6_7. This is one of those things that's true most of the time. And on those occasions when it isn't, the fallout is spectacular. It does not come up more often because poudriere does such a good job protecting against it by ensuring that whatever depends on perl is also rebuilt whenever perl changes. What we are trying to do is stop perl from being rebuilt just because we are building something way down the line that depends on it. > If a port > that needs Perl has changes introduced from the Perl update, it will get a > portrevision bump. This problem is more about the opposite case, where Perl changes out from under a port that uses it. Perl got singled out as my example simply because when speaking about the FreeBSD "ports tree" it is the closest thing there is to a root. Another example would be apr. Apache has a security issue -> rebuild apache -> poudriere builds a new version of apr -> apr revs its shared library version -> deploy fix -> unrelated port subversion (not rebuilt) abruptly quits working -> torches and pitchforks. Of course in that case it's not as big a deal because there aren't tens of thousands of ports that depend on apr so, provided you realize apr is getting updated, you can probably find them. Which is fine. Unless the new version of subversion has compatibility issues of its own your developer team isn't ready to deal with. All because Apache has a segfault when logging truncating cookies. Although there's not a "build this, and it's dependents, and it's dependencies' dependents" option either, so you are still pretty much stuck building everything if you want to make sure you found them all. Then again, Apache also depends on perl... The net effect of all of this is that even if you do take 24 hours and rebuild all the ports that depend on perl because of that foobar vulnerability, including bazqux, you *still* end up pissing off the bazqux users because it rev'd bazqux from 1.5 to 2.0 and 2.0 isn't backward compatible. And the people using bazqux don't take "well foobar had a security issue" as a reason for disrupting them, because they don't care one whit about foobar. It's definitely a rock-and-hardplace situation. It's not clear that an ideal answer even exists, but it would be nice to get a little bit closer. Thanks!