List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Brad Plant wrote:
>>>Ok, I just checked the security handbook and it only mentions
>>>glsa-check. Ok, its probably my bad... but shouldnt emerge world
>>>merge security updates too?
>>"world" is only the contents of /var/lib/portage/world and their (deep
>>if using --deep) dependencies. Integration of glsa-check in the form of
>>"emerge --security" or some such is planned. An "all" target is also
> Running "emerge -pv depclean" should show any packages not covered by
> "world" right?
Unfortunately, that is *too* correct. Unfortunate in that both
--depclean and --update only consider USE flags defined in make.conf and
package.use (and embedded in .tbz2s when using binaries). This means
that if package "foo" depends on package "bar" due to USE flag "baz"
being enabled at install time and "baz" is subsequently disabled, "bar"
becomes an orphaned package as far as the graph goes - even though it is
What does this mean in terms of security? The "only install what you
need" rule is twice as important. Until portage is a little smarter, I
would consider a "healthy" system to be one where `emerge -uDNvp world`
shows no differing USE flags and both `emerge -p --depclean` and
`revdep-rebuild -p` show no packages.
email@example.com mailing list