Jeff Spaleta <jspaleta <at> gmail.com> writes:
> You are absolutely NOT going to see security updates postponed for
> deps to catch up.
I don't think that's a good way to handle things. I think almost every user has
at least one of the affected packages installed, so what will happen will be
that best case they have something like yum-skip-broken, apt or smart which can
skip the Firefox update automatically (so why is it being pushed then?), worst
case they'll end with NO security updates applied at all. (OK, they could also
be using something like apt-get dist-upgrade which will delete the packages
depending on Firefox, but that's not really a solution either, and most likely
they'll just choose to hold back Firefox instead, putting us back to square
one.)
Now, I can understand breaking deps for a package with few users and/or no
active maintainer (it's still a bad thing, but sometimes a tradeoff has to be
made), but not for a dozen packages (some of them installed on a lot of
machines) which weren't even given a chance to rebuild.
What my personal suggestion would be is to:
* have the dependent packages centrally rebuilt (by rel-eng?) as soon as
Firefox is built,
* have the Firefox security update held off until the rebuilds are complete.
That shouldn't amount to more than one day of delay, much less than the delay
those updates go through for most users with the current system (due to broken
deps). Of course, if a rebuild fails for whatever reason, pushing the new
Firefox anyway, breaking the dep, is probably the best that can be done.
Kevin Kofler
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
