One option smart needs to conquer the world
seth vidal
skvidal at gmail.com
Thu Feb 23 08:47:44 PST 2006
On Thu, 2006-02-23 at 17:39 +0100, Axel Thimm wrote:
> It could just be the opposite, too. The downgrading of package foo in
> smart happens not because it's a rainy sunday, but because you asked
> smart to perform an operation like perhaps upgrading another package,
> bar, that *does* has a security issue.
So how is your concern about upgrading into a problem or not being able
to upgrade b/c of a broken repository any less valid than my concern
about downgrading into a security problem?
I don't disagree with you that someone could be stuck unable to upgrade
b/c of a dependency issue - but I see that as a problem the repository
needs to solve - not a problem that the depsolver needs to do.
Moreover a good number of updates are released for security reasons and
downgrading is not considered safe by security officers all over the
place. We KNOW that downgrading has that potential. At least by
upgrading you're upgrading into what is intended to be an improvement.
> Another depsolver would say: No, I won't upgrade bar to version 2
> because foo requires bar = 1. So as long as the repo is broken that
> way, non-smart depsolvers will not be able to render your system
> secure. and it's not an academic example, it happened very often
> during early FC4 release, where there was a flurry of updates in the
> first weeks, and it will happen again with FC5.
And the issue of downgrading into oblivion could occur as well. It's not
an academic example, either.
I really would like to know how your concerns are any less valid than
mine.
> I wouldn't compare them at all. For any security breach example
> non-smart followers come up with you can provide a counter-example.
>
> > Is there any middle ground short of adding the option in smart?
>
> Ignore the FUD and enjoy a great tool?
How is your example less FUD than mine?
It seems like we have two solutions to a similar problem and two
programs have taken different paths.
I really don't see the conflict here at all.
-sv
More information about the Smart
mailing list