Brad Plant wrote:
Ok, I just checked the security handbook and it only mentions
glsa-check. Ok, its probably my bad... but shouldnt emerge world
merge security updates too?
"world" is only the contents of /var/lib/portage/world and their (deep
if using --deep) dependencies. Integration of glsa-check in the form of
"emerge --security" or some such is planned. An "all" target is also
planned.
Running "emerge -pv depclean" should show any packages not covered by
"world" right?
Unfortunately, that is *too* correct. Unfortunate in that both
--depclean and --update only consider USE flags defined in make.conf and
package.use (and embedded in .tbz2s when using binaries). This means
that if package "foo" depends on package "bar" due to USE flag "baz"
being enabled at install time and "baz" is subsequently disabled, "bar"
becomes an orphaned package as far as the graph goes - even though it is
still required.
What does this mean in terms of security? The "only install what you
need" rule is twice as important. Until portage is a little smarter, I
would consider a "healthy" system to be one where `emerge -uDNvp world`
shows no differing USE flags and both `emerge -p --depclean` and
`revdep-rebuild -p` show no packages.
--
Jason Stubbs
--
[email protected] mailing list
