Gentoo Archives: gentoo-security

From: Jason Stubbs <jstubbs@××××××××××.jp>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernels and GLSAs
Date: Thu, 22 Sep 2005 02:54:40
Message-Id: 43321C92.5010504@work-at.co.jp
In Reply to: Re: [gentoo-security] Kernels and GLSAs by Brad Plant
Brad Plant wrote:
>>>Ok, I just checked the security handbook and it only mentions >>>glsa-check. Ok, its probably my bad... but shouldnt emerge world >>>merge security updates too? >> >>"world" is only the contents of /var/lib/portage/world and their (deep >>if using --deep) dependencies. Integration of glsa-check in the form of >>"emerge --security" or some such is planned. An "all" target is also >>planned. > > Running "emerge -pv depclean" should show any packages not covered by > "world" right?
Unfortunately, that is *too* correct. Unfortunate in that both --depclean and --update only consider USE flags defined in make.conf and package.use (and embedded in .tbz2s when using binaries). This means that if package "foo" depends on package "bar" due to USE flag "baz" being enabled at install time and "baz" is subsequently disabled, "bar" becomes an orphaned package as far as the graph goes - even though it is still required. What does this mean in terms of security? The "only install what you need" rule is twice as important. Until portage is a little smarter, I would consider a "healthy" system to be one where `emerge -uDNvp world` shows no differing USE flags and both `emerge -p --depclean` and `revdep-rebuild -p` show no packages. -- Jason Stubbs -- gentoo-security@g.o mailing list