snort ?

Thu Feb 3 18:09:54 UTC 2005

On Thu, 03 Feb 2005 11:36:03 -0600, Daniel Wittenberg wrote:

> > We've been following fedora.us guidelines for a long time. So one cannot
> > say there would be no guidelines. Adhering to those guidelines would get
> > rid of the redundant and dangerous explicit dependencies in your package
> > (libpcap, pcre e.g.), for instance.
> 
> What do you mean by 'redundant and dangerous' dependencies?  Just to be
> clear, you mean the Requires and not the BuildRequires correct?  We had
> problems in the past with those not being picked up correctly, which is
> why they were explicitly listed.  It looks like they are build fine now
> on fc3 so they can probably be removed from the Requires section.  So
> while it may not be possibly needed now, how is it considered dangerous?

We have automatic RPM dependencies on library sonames. These are
generated at the end of the rpmbuild process. Example:

    $ rpm -qpR snort-2.3.0-1.i386.rpm | grep cap
    libpcap  
 -> libpcap.so.0.8.3 

That information is enough to make modern package tools find the
package which provides libpcap.so.0.8.3:

    $ rpm --redhatprovides libpcap.so.0.8.3
    libpcap-0.8.3-7

When you add an explicit "Requires: libpcap", you tie your package against
a specific package name, which may or may not provide the needed library
or which may not be available anymore during an upgrade of other
packages. With that, the library could not be moved into another package,
e.g. libpcap0, when the main libpcap package was upgraded to libpcap.so.1.

The dangers are in creating unneeded dependencies on packages, which may
be obsolete or renamed during upgrades and then break your dependencies.
The dangers are also in trusting these manually determined dependencies
more than the actual dependencies determined by rpmbuild. If e.g. a
configure script would reject an incompatible libfoo-devel and build
without libfoo, your binaries would still depend on libfoo, giving a false
impression.

> > Also, with "ready" I mean that an rpmbuild rebuild creates the binary
> > packages as intended. The latest src.rpm you linked now still does not do
> > that, but requires lots of manual switches. Other comments posted before.
> > The package would benefit from a cleanup.
> 
> Can you give specifics about what you are talking please.

Not repeating my previous replies, though. Most important, a default
"rpmbuild --rebuild snort-2.3.0-0.fdr.1.src.rpm" creates a single package,
no MySQL support, no Postgresql support, and so on. This doesn't look like
intended. Ugly things I would really like to see removed: the conditional
cruft for Fedora and cAos specific sections (commented on that before) and
vendor/packager tag mangling, as well as the silly buildroot=/ checks
which add no safety (emptying the buildroot anywhere else than at the
start of %install makes a poor and confusing spec design).