1 |
On Thu, Sep 12, 2019 at 5:11 PM Michael Orlitzky <mjo@g.o> wrote: |
2 |
> |
3 |
> On 9/12/19 1:43 PM, Mike Gilbert wrote: |
4 |
> > |
5 |
> > They do "go away" if you pass the right options to emerge, or if you |
6 |
> > install it from a binpkg in the first place. |
7 |
> > |
8 |
> |
9 |
> The dependencies are statically linked into the final executable forever |
10 |
> and receive no security updates. Portage doesn't even know they're |
11 |
> there. Depclean doesn't do what you think it does in that case. (I'm |
12 |
> sure you personally understand how this works, but a regular user has no |
13 |
> idea that we've installed 100MB of vulnerable code on his machine and |
14 |
> have just abandoned it there.) |
15 |
|
16 |
Putting the dependencies in RDEPEND means users get stuck with yet |
17 |
another copy of the code installed, in addition to the copy that is |
18 |
statically linked into all reverse dependencies. |
19 |
|
20 |
It's not a very good solution to the problem. |