On Mon, Sep 24, 2018 at 09:20:34PM +0100, Stuart Henderson wrote: > On 2018/09/24 09:04, Sebastien Marie wrote: > > Hi, > > > > Here an update for lang/rust 1.29.1. > > > > It is a security update (only -current is affected). > > Hi, I'm wondering if we need to bump REVISION for ports built with rust > (firefox, librsvg, etc) to ensure that they're updated for people running > pkg_add -u? >
At first stance, I thought rust would be part of the signature and so packages will update "themself". But after checking, I think you are right. lang/rust is a BUILD_DEPENDS, and if programs uses code from the Rust libstd, the code will be statically compiled in the binary. So it isn't part of the signature. $ PKG_PATH=cdn.openbsd.org pkg_info -S librsvg-2.44.3 Information for http://cdn.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/librsvg-2.44.3.tgz Signature: librsvg-2.44.3,0,@gdk-pixbuf-2.36.12,@libcroco-0.6.12,@libxml-2.9.8p0,@pango-1.42.4,X11.16.1,Xext.13.0,Xrender.6.0,c.92.5,cairo.13.0,croco-0.6.4.0,expat.12.0,ffi.1.2,fontconfig.12.0,freetype.29.0,fribidi.3.0,gdk_pixbuf-2.0.3200.1,gio-2.0.4200.7,glib-2.0.4201.0,gmodule-2.0.4200.7,gobject-2.0.4200.7,graphite2.2.0,gthread-2.0.4200.7,harfbuzz.12.1,iconv.6.0,intl.6.0,lzma.2.1,m.10.1,pango-1.0.3800.2,pangocairo-1.0.3800.1,pangoft2-1.0.3800.1,pcre.3.0,pixman-1.32.6,png.17.5,pthread.25.1,xcb-render.1.1,xcb-shm.1.1,xcb.4.0,xml2.16.1,z.5.0 Does it exists a way in ports infrastructure to add such 'fake' dependency to trigger a signature change ? A possible way could be: - having a sub-package -libstd on lang/rust (which would be empty or almost) - add RUN_DEPENDS+=lang/rust,-libstd to port using rustc when lang/rust is updated, the subpackage rust-libstd will automatically crank, and so the signature of packages with RUN_DEPENDS will change, and pkg_add -u will update. Does it make sens ? The drawback would be to manually maintain the RUN_DEPENDS, but it is low overhead and one-time only. Thanks. -- Sebastien Marie
