Comment 62 for bug 913230

(In reply to comment #60)
> this is exactly what i mean.
>
> we're talking about a new dependency in an update. so this new dependency could
> very well be a leaf package before it happend.
>
> and, you can't really put an update in a backport because of that...

If there is a new dependancy for a backport, it indicates likely that there is an important change in the package. So I think that is it entirely reasonable to require the user to explicitly authorise the update if the new dependancy is also in backports.

Like you say regarding tmb's statement regarding updates, it does get somewhat involved to properly implement. But by doing in properly, we greatly enhance the reliablility of the update process :)