[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Upgrading packages with substitutes only (bug #26608)

From: Ricardo Wurmus
Subject: Re: Upgrading packages with substitutes only (bug #26608)
Date: Sun, 18 Jun 2017 11:38:45 +0200
User-agent: mu4e 0.9.18; emacs 25.2.1

Ludovic Courtès <address@hidden> writes:

> BTW, should --only-substitutes filter out packages without a substitute,
> or should it simply stop and report the list of missing substitutes
> (after which the user could use --do-not-upgrade)?

In my opinion “--only-substitutes” should stop and report a list.
If it continued without complaining there could be problems:

* partial upgrades could leave the profile in an unusable state

* an attacker could use this to trick a user into thinking that they
  have all available updates

On the other hand, it would make “--only-substitutes” less usable,
because to actually perform work one would have to deal with the failure

I suppose it could download the substitutes but not build a new profile
and report an error at that point.


GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC

reply via email to

[Prev in Thread] Current Thread [Next in Thread]