1 |
On 9/12/19 1:43 PM, Mike Gilbert wrote: |
2 |
> |
3 |
> They do "go away" if you pass the right options to emerge, or if you |
4 |
> install it from a binpkg in the first place. |
5 |
> |
6 |
|
7 |
The dependencies are statically linked into the final executable forever |
8 |
and receive no security updates. Portage doesn't even know they're |
9 |
there. Depclean doesn't do what you think it does in that case. (I'm |
10 |
sure you personally understand how this works, but a regular user has no |
11 |
idea that we've installed 100MB of vulnerable code on his machine and |
12 |
have just abandoned it there.) |