Gentoo Archives: gentoo-portage-dev

From: Simon Stelling <blubb@g.o>
To: gentoo-portage-dev@l.g.o
Subject: Re: [gentoo-portage-dev] New preserve-libs feature
Date: Sat, 17 Feb 2007 13:56:08
Message-Id: 45D7094E.7070606@gentoo.org
In Reply to: [gentoo-portage-dev] New preserve-libs feature by Marius Mauch
1 Marius Mauch wrote:
2 > So everyone who has valid objections to the _general idea_ of this
3 > implementation (preserving old libraries to avoid some runtime linker
4 > errors) speak up now.
5
6 For how long are these libraries preserved? This might have a security
7 impact in cases like the recent openssl-case where you had to upgrade to
8 an incompatible ABI because the version using the old one was
9 vulnerable. Using preserve-libs it would leave the old lib around,
10 making it possible for programs to link against the wrong version and
11 ending up being vulnerable. I realize that the feature is meant to help
12 the transitional phase until all apps are built against the new ABI, but
13 how would you find these vulnerable apps currently? revdep-rebuild
14 wouldn't rebuild them since they are still functional.
15
16 --
17 Kind Regards,
18
19 Simon Stelling
20 Gentoo/AMD64 developer
21 --
22 gentoo-portage-dev@g.o mailing list

Replies

Subject Author
Re: [gentoo-portage-dev] New preserve-libs feature Mike Frysinger <vapier@g.o>
Re: [gentoo-portage-dev] New preserve-libs feature Marius Mauch <genone@g.o>