Whenever an input is changed the package will be rebuilt, because we
can’t know if the presence of a package will affect the build or not.

In the case of patching references the presence of the input *will*
affect the output (as a reference to the absolute file name will be
recorded).  In the case of propagated inputs it’s really the same,
expect that the package will also be installed into the target profile.

My concerns are not about building, but about installing. A concrete example:

• Ansible is a Python program running ssh via a path to /gnu/store/…-openssh-8.0p1/bin/ssh
• Mary installs ansible.
• Now openssh shows a serious bug and Mary updates openssh using "guix -u openssh"

Obviously this will *not* update ansible, and ansible will still use the old, vulnerable version of openssh.

OTOH, if ansible would run ssh via $PATH, ansible would pick up the new version of openssh.

FWIW: some way to install openssh automatically along with ansible, while not specifying a specific version of openssh to be used, thus if openssh is updated (but ansible is not), ansible will pick up the new version.

-- 
Regards
Hartmut Goebel

| Hartmut Goebel          | h.goebel@crazy-compilers.com               |
| www.crazy-compilers.com | compilers which you thought are impossible |