One option smart needs to conquer the world

[Axel Thimm]

On Wed, Feb 22, 2006 at 09:54:38PM -0800, Tim Fenn wrote:
> The problem is that downgrading something to solve a dependency could
> be bad from a security standpoint (among other minor issues), and
> hence why some distros shy away from smart.

It could just be the opposite, too. The downgrading of package foo in
smart happens not because it's a rainy sunday, but because you asked
smart to perform an operation like perhaps upgrading another package,
bar, that *does* has a security issue.

Another depsolver would say: No, I won't upgrade bar to version 2
because foo requires bar = 1. So as long as the repo is broken that
way, non-smart depsolvers will not be able to render your system
secure. and it's not an academic example, it happened very often
during early FC4 release, where there was a flurry of updates in the
first weeks, and it will happen again with FC5.

And with non-smart depsolver it's even worse. If a repo has a couple
of security updates, but some totally unrelated package baz has messed
up its dependencies you get stuck and have to wait until the mess is
cleaned up until you can step on and secure your system. Or you'll
have to hand tune your updates which is not what a depsolver is
supposed to do.

> I honestly don't know of a good solution - which should the sysadmin
> prefer: security or zero dependency problems?  I'd vote for the
> former, but I certainly sympathize with the latter.

I wouldn't compare them at all. For any security breach example
non-smart followers come up with you can provide a counter-example.

> Is there any middle ground short of adding the option in smart?

Ignore the FUD and enjoy a great tool?
-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://lists.labix.org/pipermail/smart-labix.org/attachments/20060223/bb94a34d/attachment-0003.pgp>