| 1 |
On Thu, Sep 12, 2019 at 5:11 PM Michael Orlitzky <mjo@g.o> wrote: |
| 2 |
> |
| 3 |
> On 9/12/19 1:43 PM, Mike Gilbert wrote: |
| 4 |
> > |
| 5 |
> > They do "go away" if you pass the right options to emerge, or if you |
| 6 |
> > install it from a binpkg in the first place. |
| 7 |
> > |
| 8 |
> |
| 9 |
> The dependencies are statically linked into the final executable forever |
| 10 |
> and receive no security updates. Portage doesn't even know they're |
| 11 |
> there. Depclean doesn't do what you think it does in that case. (I'm |
| 12 |
> sure you personally understand how this works, but a regular user has no |
| 13 |
> idea that we've installed 100MB of vulnerable code on his machine and |
| 14 |
> have just abandoned it there.) |
| 15 |
|
| 16 |
Putting the dependencies in RDEPEND means users get stuck with yet |
| 17 |
another copy of the code installed, in addition to the copy that is |
| 18 |
statically linked into all reverse dependencies. |
| 19 |
|
| 20 |
It's not a very good solution to the problem. |
Archives