| 1 |
On running glsa-check, it claims that I'm vulnerable to 17 glsa's. I keep my system very |
| 2 |
up-to-date with a daily "emerge world" and a weekly "emerge -uD world". So, I was a bit |
| 3 |
surprised to find that I was vulnerable to so many glsa's. However, in researching this, |
| 4 |
I've come up with a couple questsions. |
| 5 |
|
| 6 |
First, glsa-check claims that I'm vulnerable to 200412-02 and 200505-01. The first is |
| 7 |
pdflib and the second is various horde packages. However, I have the current versions of |
| 8 |
these installed -- the versions that the glsa says I need to solve the vulnerability. So, |
| 9 |
why would glsa-check say I'm vulnerable when I'm not? |
| 10 |
|
| 11 |
The next question is less about glsa-check and more about package dependencies. I was |
| 12 |
initially confused how I could have any package on my system that's not at the latest |
| 13 |
stable version, but I see now how emerge -uD world will only update the explicit |
| 14 |
dependencies of the packages listed in my world file. So, most of these un-updated |
| 15 |
packages must have been pulled in as a dependency at some point, but the package that |
| 16 |
needed them later stopped needing them. As I'd like to keep my installed packages down to |
| 17 |
what is only necessary (and avoid having vulnerable packages on my system), it would seem |
| 18 |
best to just uninstall these. But, I'd also like to be sure they're really ununsed. |
| 19 |
|
| 20 |
The only tool I've been able to find to check dependencies is "equery depends" (which, |
| 21 |
strangely enough, the man page says is unimplemented, but the gentoolkit page |
| 22 |
(http://www.gentoo.org/doc/en/gentoolkit.xml) quite happily recommends using). I tested it |
| 23 |
on some packages that are clearly needed (mysql, php) and it did find dependecies. So, the |
| 24 |
fact that it doesn't report anything for all these packages that should mean they're okay |
| 25 |
to remove, right? |
| 26 |
|
| 27 |
Well, I guess there is another dependency tool: emerge --depclean. But this seems |
| 28 |
completely whack: it finds 58 packages to delete. A number of these are java libraries |
| 29 |
(commons-logging, jdepend, etc.) that I may not need (but may want at some point), but |
| 30 |
also includes ant, which I would think most java apps would need. It also says I don't |
| 31 |
need ncompress, but equery depends said that tar needs ncompress! It would suck to break |
| 32 |
tar. And it also says I don't need glib!!!! So, in short, emerge --depclean seems as |
| 33 |
dangerous as they say... and therefore basically useless in my opinion. |
| 34 |
|
| 35 |
Anyway, sorry this is so long... any thoughts and ideas on how to keep your system clean |
| 36 |
are welcome. |
| 37 |
|
| 38 |
b |
| 39 |
-- |
| 40 |
gentoo-server@g.o mailing list |
Archives