| 1 |
On 10/11/2011 10:28 PM, Mike Gilbert wrote: |
| 2 |
> On 10/12/2011 12:54 AM, Zac Medico wrote: |
| 3 |
>> On 10/11/2011 12:56 PM, Michał Górny wrote: |
| 4 |
>>> Or go with a saner defaults... |
| 5 |
>> |
| 6 |
>> So, are any of the following sane? |
| 7 |
>> |
| 8 |
>> 1) Pull in updates for packages even though those packages won't be used |
| 9 |
>> for anything. |
| 10 |
>> |
| 11 |
> |
| 12 |
> Francisco raised a possibly valid point in his original message: though |
| 13 |
> packages may not be currently used for anything, but they could contain |
| 14 |
> un-patched security flaws. |
| 15 |
|
| 16 |
If they contain something that's accessed at runtime, then they should |
| 17 |
be in RDEPEND or PDEPEND, no exceptions. |
| 18 |
|
| 19 |
> This seems pretty unlikely to me given the sorts of packages that are |
| 20 |
> build-time-only deps, but it could be possible. |
| 21 |
|
| 22 |
We can try to split up people who care about this into categories: |
| 23 |
|
| 24 |
1) People who are "security conscious" or just plain paranoid can set |
| 25 |
EMERGE_DEFAULT_OPTS="--with-bdeps=y" to ease their minds. |
| 26 |
|
| 27 |
2) People who want all build-time deps up to date at all times, in case |
| 28 |
they decide to rebuild something on a whim, can set |
| 29 |
EMERGE_DEFAULT_OPTS="--with-bdeps=y" to keep everything up to date. This |
| 30 |
is what I do. |
| 31 |
|
| 32 |
3) People who think they might use a particular package and want to |
| 33 |
ensure that it's the latest version can add that package to the world |
| 34 |
file. They can look for possible candidates in the output of `emerge |
| 35 |
--pretend --depclean --with-bdeps=n`. |
| 36 |
-- |
| 37 |
Thanks, |
| 38 |
Zac |
Archives