Brad Plant wrote:
>>>Ok, I just checked the security handbook and it only mentions
>>>glsa-check. Ok, its probably my bad... but shouldnt emerge world
>>>merge security updates too?
>>
>>"world" is only the contents of /var/lib/portage/world and their (deep 
>>if using --deep) dependencies. Integration of glsa-check in the form of 
>>"emerge --security" or some such is planned. An "all" target is also 
>>planned.
> 
> Running "emerge -pv depclean" should show any packages not covered by
> "world" right?

Unfortunately, that is *too* correct. Unfortunate in that both 
--depclean and --update only consider USE flags defined in make.conf and 
package.use (and embedded in .tbz2s when using binaries). This means 
that if package "foo" depends on package "bar" due to USE flag "baz" 
being enabled at install time and "baz" is subsequently disabled, "bar" 
becomes an orphaned package as far as the graph goes - even though it is 
still required.

What does this mean in terms of security? The "only install what you 
need" rule is twice as important. Until portage is a little smarter, I 
would consider a "healthy" system to be one where `emerge -uDNvp world` 
shows no differing USE flags and both `emerge -p --depclean` and 
`revdep-rebuild -p` show no packages.

--
Jason Stubbs
-- 
gentoo-security@g.o mailing list