Gentoo Archives: gentoo-portage-dev

From: Marius Mauch <genone@g.o>
To: gentoo-portage-dev@l.g.o
Subject: Re: [gentoo-portage-dev] New preserve-libs feature
Date: Sat, 17 Feb 2007 14:27:15
Message-Id: 20070217152854.15e77c65@sheridan.genone.homeip.net
In Reply to: Re: [gentoo-portage-dev] New preserve-libs feature by Simon Stelling
1 On Sat, 17 Feb 2007 14:55:26 +0100
2 Simon Stelling <blubb@g.o> wrote:
3
4 > Marius Mauch wrote:
5 > > So everyone who has valid objections to the _general idea_ of this
6 > > implementation (preserving old libraries to avoid some runtime
7 > > linker errors) speak up now.
8 >
9 > For how long are these libraries preserved? This might have a security
10 > impact in cases like the recent openssl-case where you had to upgrade
11 > to an incompatible ABI because the version using the old one was
12 > vulnerable. Using preserve-libs it would leave the old lib around,
13 > making it possible for programs to link against the wrong version and
14 > ending up being vulnerable. I realize that the feature is meant to
15 > help the transitional phase until all apps are built against the new
16 > ABI, but how would you find these vulnerable apps currently?
17 > revdep-rebuild wouldn't rebuild them since they are still functional.
18
19 Currently they are around as long as they are referenced by other
20 packages or until the package is unmerged. And yes, there should be a
21 way to tell revdep-rebuild/the user which packages should/need to be
22 rebuilt, but I haven't made my mind up yet on how to accomplish that
23 (in fact atm there is no separation between "native" and "imported"
24 libs in vdb, I'm aware that needs to be added).
25
26 Marius
27
28 --
29 Public Key at http://www.genone.de/info/gpg-key.pub
30
31 In the beginning, there was nothing. And God said, 'Let there be
32 Light.' And there was still nothing, but you could see a bit better.

Attachments

File name MIME type
signature.asc application/pgp-signature