pkg_libchk: a missing library is not detected

[Dominic Fandrey]

Mel Flynn wrote:
> On Monday 15 June 2009 02:55:09 Dominic Fandrey wrote:
>> Sorry for the late reply, this was auto-sorted into the ports@ mails
>> and drowned there.
>>
>> Boris Samorodov wrote:
> 
>>> As I understand pkg_upgrade does not preserve old libraries at
>>> /usr/local/lib/compat?
>> That's true. I consider this common approach a security risk.
> 
> It is a service interruption to delete libraries that are still used and this 
> can also lead to security problems.
> However, pkg_upgrade cannot ever hope to fix this problem, because the 
> buildservers do not unconditionally rebuild packages that mention the upgraded 
> port in LIB_DEPENDS, therefore it is better to leave these shared libraries 
> around.

To me something not working seems to be less of a security problem than
linking to a vulnerable library.

>> To ensure that you get the newest packages wipe
>> /usr/ports/packages/All.
> 
> Erm, the download time associated with that approach doesn't really speed up 
> things, nor does it guarantee that you will have working binaries if the port 
> maintainer forgot to version bump a port.

Well, you don't ever need them again after having them installed once, so I
don't see the problem. And at least from pointyhead I've never head
broken linking, even when the package was not version bumped, so I think
there's some kind of human intervention, or I was lucky.

Proper version bumping solves both problems, though and it is rarely forgotten
lately. So the issue is much smaller, now than it would have been a couple of
years ago. Also I do not see a way for my tool to handle this in any
acceptable way. If you've got an idea, go ahead and tell me. I actually
want to deal with as many problems as possible without user intervention.
It's about making life easier, after all.