To Require or not to Require?

Mon Aug 15 23:55:06 UTC 2011

On Mon, 15 Aug 2011 16:20:47 -0400, SV (seth) wrote:

> On Sat, 2011-08-13 at 09:19 +0200, Michael Schwendt wrote:
> > On Fri, 12 Aug 2011 12:08:50 -0400, SS (Simo) wrote:
> > 
> > > If rpmbuild does not add an implicit requires with libraryX >= <version
> > > we built against> then it is certainly broken.
> > 
> > One could also argue that an activity like "yum install ..." ought to
> > search for and apply the latest available updates of needed packages. Such
> > behaviour has been rejected some years ago, if memory serves correctly. 
> 
> 
> It was rejected with good reason, I think. I do not think we should be
> adding functionality into yum which:
> 
> 1. violates the principle of least surprise for the admin
> 2. covers up for not-specific-enough requirements in the packaging.

Well, I can understand that point of view partially. The rationale
isn't entirely convincing, though. The more explicitly versioned dependencies
we would add to packages (either manually or automatically during rpmbuild),
the more updates a "yum install" would pull in. It won't be a full update,
but could break other installed packages.

Running out-of-date installations is not only a problem when a newly
installed package works only with latest updates. Ordinary bugs in
dependencies can also be a reason why the newly installed package will
need a full "yum update" before it would work [at all or correctly].
Ever seen users with an app startup crash and "yum update APP-PKG-NAME"
not fixing it becuase "yum update LIB-PKG-NAME" was necessary?

> It just feels like it would be fixing a "problem" at the wrong layer.

Where is the right layer?
Do we need to adjust the packaging policies wrt updates?

Fedora 15 by default displays update notifications less frequently.

The package installer could at least notify the user about available
updates immediately after installing a package. Some updates could be
important, especially if they are a dependency of the newly installed
package.

Users with out-of-date installations often are harder to support not just
because of old issues they run into.

If application misbehaviour is fixed in a system library, there is a
library package update, but the application package normally isn't rebuilt
just to add to it a "specific-enough requirement" on the updated library.
This isn't limited to one programming language. Even a Python app could
crash at run-time because of a bug in a Python module with an update that
has not been installed yet.

I think we are ill-advised if we publish a steady flood of updates (even for
old dist releases), but want users to install updates less frequently.