A while ago, I posted a series of pkg-config related messages: 1, 2 and 3. They were intended to give some background knowledge about that program, to let me easily explain something else: how pkg-config can be used to sanity-check packages — that is, to ensure that the libraries they depend on are the correct ones.
In pkgsrc, direct dependencies are specified by including special buildlink3.mk files. These files have a default version specification in them, so that a reasonable value is kept somewhere centralized. For example, in the current tree, when you include glib2's buildlink3.mk file, you get a dependency such as glib2>=2.6.1. So far so good.
Now suppose that you are packaging a program which requires, at least, version 2.6.4. You need to make sure that the new package specifies that, like in glib2>=2.6.4, to avoid problems if an older version is installed. The problem is that manually checking this is very difficult; if the developer has the required version (2.6.4) already installed, he won't notice that the configuration script is requiring a newer version than the one specified in the buildlink3.mk file.
Similar problems arise with indirect dependencies. Consider a package which requires libgnomeui and gtk2. If this package includes libgnomeui's buildlink3.mk file alone, it will build correctly, because this will automatically pull in gtk2's buildlink3.mk file. However, this is incorrect, because the resulting binary package will miss a direct dependency on gtk2. Discovering these issues is quite difficult.
The thing is that I have found a way to notice these problems in an automated fashion (rather than manually reviewing tons of code in configuration scripts). Given that the configure scripts (usually) call pkg-config for each direct dependency, it's a matter of capturing these calls, storing them in a log file to compare them later on with the package's specification files.
To achieve this, I've written a little patch for pkg-config which makes it write a log file with all the queries it receives and their results. Then, I've made pkgsrc use the patch to generate such file inside WRKDIR. And finally, I've written a script, called verifypc, that compares the log file with what the package's Makefile contains.
It saves me a lot of time when updating packages to newer versions, as I can quickly see if I need to modify the dependencies. However, the script still has multiple problems (such as thinking that 2.9 is newer than 2.10) and, frankly, is very ugly. I guess I'll have to clean up this stuff and include it in pkgsrc ;)