Updating less-than-everything with poudriere & pkgng

J David j.david.lists at gmail.com
Tue Apr 1 15:18:06 UTC 2014 

Poudriere and pkgng have been great tools for managing large numbers
of FreeBSD ports.

However, we would like to optimize the build in some cases.

Consider a poudriere-generated pkgng repository with about 10,000
packages in it.  Now, just because the FreeBSD ports collection is the
way it is, about 8,000 of those packages are going to depend directly
or indirectly on perl.

Now suppose one of those 10,000 packages is foobar-1.2.2.  A security
advisory is released, and it is now urgent to upgrade all the machines
using this repository to foobar-1.2.3 ASAP.  But foobar-1.2.3 (like
7,999 of its brethren) depends on perl, and perl has also been updated
from perl-5.12.3.4_5a to 5.12.3.4_5a1.

What we want is to do a poudriere build that updates to foobar-1.2.3
and rebuild anything that depends on foobar.

But the first thing poudriere is going to do is whack perl-5.12.3.4_5a
and all 8000 packages that depend on it.

This is a problem for two reasons.

First, this takes at least a day to build, during which time
foobar-1.2.2 is out there waiting to be exploited.  (Alternatively you
can try to build less than the full set to get it done quicker, but
this introduces its own set of problems; packages that didn't get
rebuilt may stop working.)

Second, it's virtually a guarantee that hidden somewhere in those 8000
packages is an update that breaks something for somebody using that
repository.

So poudriere creates this situation where to get any security update,
you have to take every other unrelated update, even if they are very
bad for you.

Is there any way to either:

- Convince poudriere only to build a specific port and its dependents, or
- Build port(s) outside of poudriere and then inject them into the
pkgng repo maintained by poudriere?

For example, if there were some way we could manually delete what we
want rebuilt and tell poudriere to rebuild only the missing, not the
outdated, that would be great.  (It would be *ideal* if we could just
delete the target package and poudriere would take care of deleting
its dependents.)

Thanks for any advice!

More information about the freebsd-questions mailing list