1 |
On Samstag, 17. Februar 2007, Duncan wrote: |
2 |
> Question: With the old library still around, will revdep-rebuild even try |
3 |
> to rebuild anything linked against it? Maybe I'm wrong, but I thought it |
4 |
> would only rebuild when the library was actually missing. (There's also a |
5 |
> hint of that in another comment, but maybe I'm reading that wrong as well.) |
6 |
|
7 |
The question isn't so much, if revdep-rebuild picks it up, the problem from my |
8 |
POV is that the information to rebuild against the new library shows up only |
9 |
once via ewarn in pkg_postinst and unexperienced users may not have |
10 |
configured elog facility and may miss to see the emerge output scrolling by, |
11 |
so the library and everything built against it remains as it is. |
12 |
|
13 |
Therefore I consider the preserve-libs functionality one of the biggest |
14 |
security threats for Gentoo users. You may dismiss this, saying the problem |
15 |
sits in front of the keyboard, but I'm telling you this is careless and that |
16 |
we can do better: |
17 |
|
18 |
echo "/path/to/preserved.so" >> /var/lib/portage/preserved_libs |
19 |
|
20 |
stores the libraries, and Portage can each time emerge is run look up, if the |
21 |
file lists libraries, check, if those exist, if not remove the lines or |
22 |
otherwise warn the user about the possibly vulnerable libraries and tell him |
23 |
what to do. |
24 |
|
25 |
Simple solution at low cost. Fine with this idea? |
26 |
|
27 |
|
28 |
Carsten |
29 |
|
30 |
|
31 |
-- |
32 |
gentoo-portage-dev@g.o mailing list |