On 10/24/07, Richi Plana <myfedora@xxxxxxxxxxxxxx> wrote: > As for the second issue (delaying non-essential updates which break), if > we look at the most common use-case, we have the ff. actors: the package > maintainer for the package that breaks (A), the package maintainer/s for > the package that depend on the breaking one (B), and the users who do > "yum update"s (C). It's my contention that (A)'s update should be > delayed pending the resolution of (B)'s packages or a certain amount of > time has passed. I won't even begin to argue who is responsible for > coordinating with who ((A) or (B)). I just believe that (C) shouldn't > have to be involved. Point of fact... is there anything which depends on firefox that is currently experience a depchain problem that is considered a mandatory application? Crap like yelp and devhelp and Miro are fundamentally optional components. And you absolutely are not going to be able to make a strong enough argument that firefox security updates should be delay one milliseconds to keep optional packages from breaking. It just isnt going to fly. People who do not have these optional components installed will suffer lapses in security unnecessarily. Yes it absolutely sucks for the user who has these optional components installed. Because that user is now required to make a choice. You can choose to uninstall the packages which have a dep problem or you can choose to ignore that update because it causes dep problems. Something like the yum-skip-broken plugin package helps users make a choice, by choosing to not install the update because of the dep problems. I'm not aware of a similar yum plugin which forces the install of security updates, but perhaps such a plugin should exist to round out the policy choices for end-users. There's no getting around it. The fact that these application have choosen to require libraries from firefox, when said libraries are known to be unstable and non-conformant to established generally accepted soname rules is the fundamental problem. Until xulrunner finds its way in, its absolutely up to the maintainers of packages which depend on firefox to know exactly the sort of problems thier packages cause on every single firefox update since the dawn of time. Honestly if I could do it I would forbid any package from depping against firefox until xulrunner lands in Fedora to avoid this entirely than to continue to work under the farce that the gecko libraries that applications are depending are appropriate to rely on as a development framework. -jef"lost count of the number of times he's re-opened bugs about ff deps since fc1 was released"spaleta -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
