From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-204887-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 0975C158042
	for <garchives@archives.gentoo.org>; Fri, 25 Oct 2024 16:40:03 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 25C2CE08FC;
	Fri, 25 Oct 2024 16:39:58 +0000 (UTC)
Received: from ciao.gmane.io (ciao.gmane.io [116.202.254.214])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id DDBB0E0884
	for <gentoo-user@lists.gentoo.org>; Fri, 25 Oct 2024 16:39:57 +0000 (UTC)
Received: from list by ciao.gmane.io with local (Exim 4.92)
	(envelope-from <lnx-gentoo-user@m.gmane-mx.org>)
	id 1t4NLv-0005IH-3k
	for gentoo-user@lists.gentoo.org; Fri, 25 Oct 2024 18:39:55 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: gentoo-user@lists.gentoo.org
From: Grant Edwards <grant.b.edwards@gmail.com>
Subject: [gentoo-user] Re: Why does bind-tools 9.18 depend on bind?
Date: Fri, 25 Oct 2024 16:39:50 -0000 (UTC)
Message-ID: <vfghkm$j88$1@ciao.gmane.io>
References: <vfe4l7$uk0$1@ciao.gmane.io>
 <2acf0931-8d75-4e2d-99f2-75a8f8fcd94e@gentoo.org>
 <vfepqu$h1f$1@ciao.gmane.io> <ZxtsCxTwb1jccy2_@stitch>
 <b85e4e9e-312c-5f17-51fa-14be8d4da24c@applied-asynchrony.com>
 <09bbc077d6abcbac7da185287b517b0a6bc3da25.camel@gentoo.org>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
User-Agent: slrn/1.0.3 (Linux)
X-Archives-Salt: efc5a550-6224-4cc0-b91c-7cd72931abb2
X-Archives-Hash: 11b245e909c28f9093be8794598bf880

On 2024-10-25, Michael Orlitzky <mjo@gentoo.org> wrote:
> On Fri, 2024-10-25 at 13:08 +0200, Holger Hoffstätte wrote:
>> > 
>> > It's a Go package though, so it will quietly install a mountain a
>> > random outdated static libraries from github.
>> 
>> What? No, it will not. Those dependencies are absolutely not installed,
>> they are only used for building & linking the executable.
>> 
>
> You're right of course but after they're all statically linked into
> that executable, the executable, containing the libraries that will
> never be updated, is installed. And then we use them to process
> untrusted content from the network...?

And there seems to be plenty of crypto and ssh stuff in there, so
that's a bit scary.

--
Grant