dependency explosion

[Lloyd Parkes <Lloyd.Parkes%ird.govt.nz@localhost>]

Hi all,
I tried to build rrdtool the other day because freetype2 (which it depends on) 
has a vulnerability and I like fixing my daily insecurity reports.

I became a little bit concerned when "make package" started build various low 
level X libraries. My server isn't very quick, and even though I don't build on 
my production box, it still wasn't going to be quick. I turned off the X 
dependency and started the build again. This time it decided to build FAM.

I'm sure there are reasons why these dependencies are there, but if you tell 
someone that we need to have X libraries and FAM installed on a NetBSD web 
server in order to publish RRD graphs, they'll tell you that we have reached the 
absurdum in reductio ad absurdum. Unfortunately the package dependency tools 
haven't been as helpful as I would like. pkgdep doesn't seem to work right now, 
and pkgdepgraph works on installed package dependencies. If I can get a package 
dependency graph it might help find somewhere to conveniently prune the graph by 
switching off a default dependency.

Does anyone else really care? Those of us deploying systems into sensitive 
environments certainly value minimised installs rather than the Linux approach 
of everything except the stuff you need.

Cheers
--
Lloyd Parkes
Senior Systems Programmer
Open Systems
Ph: +64 4 890 2437