package-manager
package-manager copied to clipboard
zeek
Consider installed zeek and zkg versions when finding best version tag
When a package has version tags, installation of that package without requesting a specific version or branch causes zkg to pick the numerically greatest version tag (based on semver ordering). That's definitely reasonable, but we currently don't deviate from that version even if it's incompatible with the installed Zeek or zkg version.
Over time, it's pretty likely that newer version tags are compatible only with newer Zeek versions. If a package doesn't make those dependencies explicit, there's not a whole lot we can do, but when it does, I'm thinking it would be reasonable to step backward through the version history to find one that's compatible with what's locally available.
Consider Community ID: its latest version (3.2.0) works with any Zeek >= 3.2, and it has older tags that work with older Zeeks. If I have a recent Zeek, all is well, but with an older Zeek this happens:
$ zkg install zeek-community-id
error: failed to resolve dependencies: unsatisfiable dependency: "zeek" (3.1.5) is installed, but "zeek/corelight/zeek-community-id" requires >=3.2.0
To fix this, you have to know which version tag to pick. It's documented in the README, but the user needs to figure it out. I put together a prototype that walks back through the tags, here ... with it I get:
$ zkg install zeek-community-id
The following packages will be INSTALLED:
zeek/corelight/zeek-community-id (3.1.0)
Proceed? [Y/n]
Running unit tests for "zeek/corelight/zeek-community-id"
Installing "zeek/corelight/zeek-community-id"..
Installed "zeek/corelight/zeek-community-id" (3.1.0)
Loaded "zeek/corelight/zeek-community-id"
It first considered the latest tag, 3.2.0, which fails the Zeek dependency, and then moved on to 3.1.0, which is marked compatible with Zeek 3.1.5, currently installed.
I'm definitely not sure this is the right way to do it since the code has a few spots where it picks the greatest version number and the dependency code is a bit tricky. I was mainly curious to see if other hiccups would come up, but it seems manageable.
Thoughts?
