Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is it really that wise to update dependencies?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
Cyberstudio
Apprentice
Apprentice


Joined: 17 Oct 2005
Posts: 240
Location: /usr/src/linux

PostPosted: Thu Jul 11, 2013 2:21 pm    Post subject: Is it really that wise to update dependencies? Reply with quote

Hi!

Im returning to gentoo after a few years out of the linux world (i quitted when gnome killed its version 2). Im wondering... when you're updating your system, is that wise to ALSO update dependencies?

Im a windows dev. Lets say that we have an app named myApp.exe which depends on myDependency.dll. If i update myDependency.dll from version 1 to version 2, that update may break myApp.exe, because maybe the internal api of myDependency has changed.

What i say is, the installer of myApp.exe should be the one in charge of updating myDependency.dll, not me, because if i update the .dll by myself i may break the app.

So, if myApp was a linux app, i think that i should *ONLY* update myApp, and portage in turn should decide IF it needs to update its dependencies too.

Im right? Im looking at this from a Windows point of view. Maybe in linux it doesn't work like that. Can someone please help me to understand this?

Thanks! and sorry for my bad english
_________________
En los CDs de Microsoft, al reves escuchas un mensaje satanico. Eso no es lo peor, al derecho, te instala windows. 8O
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 3264
Location: Canada

PostPosted: Thu Jul 11, 2013 2:26 pm    Post subject: Re: Is it really that wise to update dependencies? Reply with quote

Cyberstudio wrote:
Hi!

Im returning to gentoo after a few years out of the linux world (i quitted when gnome killed its version 2). Im wondering... when you're updating your system, is that wise to ALSO update dependencies?

Im a windows dev. Lets say that we have an app named myApp.exe which depends on myDependency.dll. If i update myDependency.dll from version 1 to version 2, that update may break myApp.exe, because maybe the internal api of myDependency has changed.

What i say is, the installer of myApp.exe should be the one in charge of updating myDependency.dll, not me, because if i update the .dll by myself i may break the app.

So, if myApp was a linux app, i think that i should *ONLY* update myApp, and portage in turn should decide IF it needs to update its dependencies too.

Im right? Im looking at this from a Windows point of view. Maybe in linux it doesn't work like that. Can someone please help me to understand this?

Thanks! and sorry for my bad english


That is how it usually works, yes. For that to be smooth, make sure that your 'world' file has primarily only applications, not libraries that will be pulled by dependencies when you update the applications.

And if the librairies are updated, it is always prudent to run revdep-rebuild to check if anything got broken and rebuild it
Back to top
View user's profile Send private message
Cyberstudio
Apprentice
Apprentice


Joined: 17 Oct 2005
Posts: 240
Location: /usr/src/linux

PostPosted: Thu Jul 11, 2013 2:41 pm    Post subject: Reply with quote

So, there's no need to manually update dependencies?
_________________
En los CDs de Microsoft, al reves escuchas un mensaje satanico. Eso no es lo peor, al derecho, te instala windows. 8O
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10587
Location: Somewhere over Atlanta, Georgia

PostPosted: Thu Jul 11, 2013 2:52 pm    Post subject: Reply with quote

Correct. During an update, if a package you've specifically installed (member of world set, in other words) needs a newer version of a dependency, the dependency will be updated automatically. There are other nuances, but no manual updates are required.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
Cyberstudio
Apprentice
Apprentice


Joined: 17 Oct 2005
Posts: 240
Location: /usr/src/linux

PostPosted: Thu Jul 11, 2013 3:13 pm    Post subject: Reply with quote

John R. Graham wrote:
Correct. During an update, if a package you've specifically installed (member of world set, in other words) needs a newer version of a dependency, the dependency will be updated automatically. There are other nuances, but no manual updates are required.

- John


8O I think not a lot of people know that... 8O

Why is everyone running emerge -uDav? if emerge --update --ask world is safer and less risky for the stability of the system?

I think there should be a "Portage best practices" page on the wiki. There's a lot of myth and black magic floating around how to do things with portage. If i had the knowledge on the subject i would write it myself
_________________
En los CDs de Microsoft, al reves escuchas un mensaje satanico. Eso no es lo peor, al derecho, te instala windows. 8O
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10587
Location: Somewhere over Atlanta, Georgia

PostPosted: Thu Jul 11, 2013 3:47 pm    Post subject: Reply with quote

Cyberstudio wrote:
8O I think not a lot of people know that... 8O
Actually, I think most people know that; you've just been away too long. :wink:

Frankly, there's no perception in the community that --update --deep is significantly more dangerous than --update alone; it's just often unnecessary.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
nativemad
Developer
Developer


Joined: 30 Aug 2004
Posts: 918
Location: Switzerland

PostPosted: Thu Jul 11, 2013 3:51 pm    Post subject: Reply with quote

Hi,

You clearly should update the dependencies! (and run revdep-rebuild afterwards :wink: )
Because this is actually what gets tested during the stabilization of a package!
A newer lib means that you test all stable packages with a dependency to that lib.
So it would be wise for security reasons to also update dependencies and not just the required ones, as all the stable packages should run against it! -if not, then please file a bug!
Furthermore, if you only update the world, it could happen that you install an app that runs against the current stable lib, but not with the one you've still got from the install 3 years ago... As stable gets tested against current stable and not all ancient versions.... :wink:

HTH
_________________
Power to the people!
Back to top
View user's profile Send private message
Cyberstudio
Apprentice
Apprentice


Joined: 17 Oct 2005
Posts: 240
Location: /usr/src/linux

PostPosted: Thu Jul 11, 2013 3:54 pm    Post subject: Reply with quote

Yes, you're right. I always end coming back to gentoo.

What strategy do you use on your personal systems?
_________________
En los CDs de Microsoft, al reves escuchas un mensaje satanico. Eso no es lo peor, al derecho, te instala windows. 8O
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10587
Location: Somewhere over Atlanta, Georgia

PostPosted: Thu Jul 11, 2013 4:14 pm    Post subject: Reply with quote

nativemad wrote:
You clearly should update the dependencies! (and run revdep-rebuild afterwards :wink: )
Because this is actually what gets tested during the stabilization of a package!
A newer lib means that you test all stable packages with a dependency to that lib. ...
Although all of that is true, stating it like that implies that it doesn't happen unless you take some special action. In fact, the reverse is true: you have to take special action to avoid the called-for updates of dependencies. (Cyberstudio, I'm not even going to tell you what the special action is. :wink: If you really must know, the emerge man page will elucidate.)

All of this happens automatically during a routine update for exactly the reasons nativemad cites: if there's a known security issue, the Gentoo developers will update the Portage tree to force the update of the vulnerable package.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
Cyberstudio
Apprentice
Apprentice


Joined: 17 Oct 2005
Posts: 240
Location: /usr/src/linux

PostPosted: Thu Jul 11, 2013 4:35 pm    Post subject: Reply with quote

Thanks nativemad, sounds very logical to me. That was the part that i was missing.

Ok, so the consensus is that its not "Obligatory" to do so, but its "Ideal"?
_________________
En los CDs de Microsoft, al reves escuchas un mensaje satanico. Eso no es lo peor, al derecho, te instala windows. 8O
Back to top
View user's profile Send private message
nativemad
Developer
Developer


Joined: 30 Aug 2004
Posts: 918
Location: Switzerland

PostPosted: Thu Jul 11, 2013 4:46 pm    Post subject: Reply with quote

Nothing is obligatory in gentoo!! :wink:
_________________
Power to the people!
Back to top
View user's profile Send private message
Cyberstudio
Apprentice
Apprentice


Joined: 17 Oct 2005
Posts: 240
Location: /usr/src/linux

PostPosted: Thu Jul 11, 2013 4:54 pm    Post subject: Reply with quote

That's true... but gentoo its SO flexible that can harm you if you're not clear on what you want and how you should do it.

Ahhh, it feels so good to be back. Just like home.

Thanks a lot guys!
_________________
En los CDs de Microsoft, al reves escuchas un mensaje satanico. Eso no es lo peor, al derecho, te instala windows. 8O
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum