1 |
On running glsa-check, it claims that I'm vulnerable to 17 glsa's. I keep my system very |
2 |
up-to-date with a daily "emerge world" and a weekly "emerge -uD world". So, I was a bit |
3 |
surprised to find that I was vulnerable to so many glsa's. However, in researching this, |
4 |
I've come up with a couple questsions. |
5 |
|
6 |
First, glsa-check claims that I'm vulnerable to 200412-02 and 200505-01. The first is |
7 |
pdflib and the second is various horde packages. However, I have the current versions of |
8 |
these installed -- the versions that the glsa says I need to solve the vulnerability. So, |
9 |
why would glsa-check say I'm vulnerable when I'm not? |
10 |
|
11 |
The next question is less about glsa-check and more about package dependencies. I was |
12 |
initially confused how I could have any package on my system that's not at the latest |
13 |
stable version, but I see now how emerge -uD world will only update the explicit |
14 |
dependencies of the packages listed in my world file. So, most of these un-updated |
15 |
packages must have been pulled in as a dependency at some point, but the package that |
16 |
needed them later stopped needing them. As I'd like to keep my installed packages down to |
17 |
what is only necessary (and avoid having vulnerable packages on my system), it would seem |
18 |
best to just uninstall these. But, I'd also like to be sure they're really ununsed. |
19 |
|
20 |
The only tool I've been able to find to check dependencies is "equery depends" (which, |
21 |
strangely enough, the man page says is unimplemented, but the gentoolkit page |
22 |
(http://www.gentoo.org/doc/en/gentoolkit.xml) quite happily recommends using). I tested it |
23 |
on some packages that are clearly needed (mysql, php) and it did find dependecies. So, the |
24 |
fact that it doesn't report anything for all these packages that should mean they're okay |
25 |
to remove, right? |
26 |
|
27 |
Well, I guess there is another dependency tool: emerge --depclean. But this seems |
28 |
completely whack: it finds 58 packages to delete. A number of these are java libraries |
29 |
(commons-logging, jdepend, etc.) that I may not need (but may want at some point), but |
30 |
also includes ant, which I would think most java apps would need. It also says I don't |
31 |
need ncompress, but equery depends said that tar needs ncompress! It would suck to break |
32 |
tar. And it also says I don't need glib!!!! So, in short, emerge --depclean seems as |
33 |
dangerous as they say... and therefore basically useless in my opinion. |
34 |
|
35 |
Anyway, sorry this is so long... any thoughts and ideas on how to keep your system clean |
36 |
are welcome. |
37 |
|
38 |
b |
39 |
-- |
40 |
gentoo-server@g.o mailing list |