On Fri, 5 May 2006 16:38:57 +0200 Carsten Lohrke <[EMAIL PROTECTED]> wrote:
> On Friday 05 May 2006 15:23, Kevin F. Quinn (Gentoo) wrote: > > I disagree. Your argument is for not using ~arch at all, rather > > than an argument against keeping control of what you have from > > ~arch. > > No. My argument is that category/ebuild is much better than > =category/ebuild-x*. If and only if there's a problem with the > former, you should take the latter into account and monitor the > ebuild changes closely. From my perspective, category/package is worse. It means once a package goes ~arch, it never becomes arch again. My approach means that when I've gone ~arch to get something only available in that version, it becomes arch once the package gets stabilised or a later version is stabilised. > > In practice, I tend to do: > > > > =category/package-version* ~arch > > > > so that I pick up -rN bumps on unstable versions as this should mean > > that the maintainer considers the change necessary for users of that > > version. > > So you won't get security updates, when this means it is a version > bump. And this is most often the case. Unless you _always_ read the > ChangeLogs and referenced bugs of all ebuilds you run testing, this > is not safe. First, I'll get the security updates when (1) the relevant updated package goes stable, which is usually pretty quickly, or (2) notification is made in gentoo-announce (which must be the correct place to get such notifications). Secondly, "Up-to-date on GLSAs" != "safe". Not by a long shot. Further, missing GLSAs does not necessarily mean I'm vulnerable. That's what the detail is for in the GLSAs; so I can make a judgement call on whether I need to worry about a vulnerability or not. Lastly, if there are versions of a package in ~arch that have known security flaws, my understanding is that they either get patched with a -rN bump, or they get removed from the tree in favour of a later version that is not vulnerable. Either way, I get notification when I next do an update. -- Kevin F. Quinn
signature.asc
Description: PGP signature
