pkg/32779: pkgsrc "make update" removes packages inappropriately (IMHO!)

[anne%porcupine.montreal.qc.ca@localhost]

>Number:         32779
>Category:       pkg
>Synopsis:       pkgsrc "make update" removes packages inappropriately (IMHO!)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 09 01:10:01 +0000 2006
>Originator:     Anne Bennett
>Release:        3.0, pkgsrc as per CVS 2006-02-07
>Organization:
>Environment:
NetBSD quill.porcupine.montreal.qc.ca 3.0 NetBSD 3.0 (QUILL_AMD64) #4: Mon Jan  
2 17:33:19 EST 2006  
root%newquill.porcupine.montreal.qc.ca@localhost:/disks/nobak/netbsd/netbsd-3.0/src/sys/arch/amd64/compile/QUILL_AMD64
 amd64

>Description:
Running "make update" in a package can end up removing a
package if no non-vulnerable version is currently available.
More annoyingly, since dependencies are followed, it can
end up removing additional packages as well, with all kinds
of unintended effects.
>How-To-Repeat:
Type "make update" for a package for which a vulnerability
has been listed and downloaded as part of the result of
"download-vulnerability-list" (from security/audit-packages).
>Fix:
I think it would be helpful if the de-installation did not run
until and unless the "make" had completed successfully.

I hope that this can be addressed; I'm starting to be afraid to
pull a cvs update of packages and "make update", not because I
might get a failed make or unstable software, but because I'm never
sure what's going to be pulled out from under me.  :-(

Because of the following of dependencies, going "make && make update"
is not enough protection against unwanted package removal.