On 10/11/2011 10:28 PM, Mike Gilbert wrote: > On 10/12/2011 12:54 AM, Zac Medico wrote: >> On 10/11/2011 12:56 PM, Michał Górny wrote: >>> Or go with a saner defaults... >> >> So, are any of the following sane? >> >> 1) Pull in updates for packages even though those packages won't be used >> for anything. >> > > Francisco raised a possibly valid point in his original message: though > packages may not be currently used for anything, but they could contain > un-patched security flaws.
If they contain something that's accessed at runtime, then they should be in RDEPEND or PDEPEND, no exceptions. > This seems pretty unlikely to me given the sorts of packages that are > build-time-only deps, but it could be possible. We can try to split up people who care about this into categories: 1) People who are "security conscious" or just plain paranoid can set EMERGE_DEFAULT_OPTS="--with-bdeps=y" to ease their minds. 2) People who want all build-time deps up to date at all times, in case they decide to rebuild something on a whim, can set EMERGE_DEFAULT_OPTS="--with-bdeps=y" to keep everything up to date. This is what I do. 3) People who think they might use a particular package and want to ensure that it's the latest version can add that package to the world file. They can look for possible candidates in the output of `emerge --pretend --depclean --with-bdeps=n`. -- Thanks, Zac