Ville Skyttä wrote:
That "reason" could be a bad Obsoletes in the new package.
That's why I said "new packages that don't replace anything" in my
original
message. If they Obsolete something else, then they're not really new
packages.
And even the new Name and Provides from the new package may result in
it
being pulled in along with other updates to satisfy dependencies without
being explicitly asked for.
Well, true, new packages which Provide some common virtual Provides like
bluez-dbus-pin-helper also need the same scrutiny as upgrades to explicit
packages. That's not the common case though, and it happening due to Name
alone is very unlikely (it would mean something else Provides that name and
a third package depends on it by name).
When either of these happens, it in my opinion qualifies as the new
package being installed automatically, and because there are several ways
new installed packages can break existing systems, the combined results is
that it is very much possible for newly introduced packages to
"automatically break existing systems".
New packages which don't Obsolete existing packages or Provide existing
provided names cannot cause any of the above. (They may technically trigger
broken triggers, but it's extremely unlikely that an existing package has a
trigger on something not previously in Fedora. If it's an outright malicious
trigger, like "delete everything if somebody installs package foo", then we
have a much bigger problem than update stability!)
Kevin Kofler