Hi everyone!
Because of broken dependencies in an update declared as stable, I've run into package "condor". It's a 20K spec file with a remarkably short review ticket, and I wondered why it contains the following explicit dependencies?
Requires: pcre Requires: postgresql-libs Requires: openssl Requires: krb5-libs Requires: gsoap Requires: mailx
Actually, all of them except for "mailx" are added automatically by rpmbuild already (as dependencies on SONAMEs): http://koji.fedoraproject.org/koji/rpminfo?rpmID=948426
I've double-checked with the current ReviewGuidelines, and I could not find a corresponding entry that would make reviewers block such explicit dependencies. If memory serves correctly, we've had a section somewhere in the Wiki. Searching further, I've found only
https://fedoraproject.org/wiki/Packaging/Guidelines#Requires
which only says
RPM has very good capabilities of automatically finding dependencies for libraries and eg. Perl modules. In short, don't reinvent the wheel, but just let rpm do its job. There is usually no need to explicitly list eg. Requires: libX11 when the dependency has already been picked up by rpm in the form of depending on libraries in the libX11 package.
and which is linked from the review item
MUST: The package must meet the Packaging Guidelines .
The phrase "there is usually no need to" is vague without any emphasis like SHOULD/MUST and no specific entry in the review guidelines.
Does anyone remember where the paragraph has gone, which commented on the badness of explicit dependencies on package names?
On Fri, 16 Jan 2009 09:52:29 -0500, Tom wrote:
On Fri, 2009-01-16 at 11:41 +0100, Michael Schwendt wrote:
Does anyone remember where the paragraph has gone, which commented on the badness of explicit dependencies on package names?
I'm not sure there was ever such a paragraph. Would you like to propose one?
SHOULD: Reviewer should examine an RPM package's list of dependencies and (1) eliminate superfluous explicit ''Requires'' within the spec file and (2) ensure that any non-superfluous or versioned explicit ''Requires'' are explained in comments in the spec file.
In particular, we rely on rpmbuild's automatically added dependencies on library SONAMEs. Modern package management tools are capable of resolving such dependencies to determine the required packages. Explicit dependencies on specific package names may aid the inexperienced user, who attempts at installing RPM packages manually. However, history has shown that such dependencies add confusion when library/files are moved from one package to another, when packages get renamed, when one out of multiple alternative packages would suffice, and when versioned explicit dependencies become out-of-date and inaccurate. Additionally, in some cases, old explicit dependencies on package names require unnecessary updates/rebuilds (for example, after renaming a packge, virtual package names are not kept forever).
Exemplary rationale for a versioned explicit dependency:
# The automatic dependency on libfubar.so.1 is insufficient, # as we strictly need at least the release that fixes two segfaults. Requires: libfubar >= 0:1.2.3-7
Packager should revisit an explicit versioned dependency as appropriate to avoid that it becomes inaccurate and superfluous.
packaging@lists.fedoraproject.org