On running glsa-check, it claims that I'm vulnerable to 17 glsa's. I keep my system very
up-to-date with a daily "emerge world" and a weekly "emerge -uD world". So, I was a bit
surprised to find that I was vulnerable to so many glsa's. However, in researching this,
I've come up with a couple questsions.
First, glsa-check claims that I'm vulnerable to 200412-02 and 200505-01. The first is
pdflib and the second is various horde packages. However, I have the current versions of
these installed -- the versions that the glsa says I need to solve the vulnerability. So,
why would glsa-check say I'm vulnerable when I'm not?
The next question is less about glsa-check and more about package dependencies. I was
initially confused how I could have any package on my system that's not at the latest
stable version, but I see now how emerge -uD world will only update the explicit
dependencies of the packages listed in my world file. So, most of these un-updated
packages must have been pulled in as a dependency at some point, but the package that
needed them later stopped needing them. As I'd like to keep my installed packages down to
what is only necessary (and avoid having vulnerable packages on my system), it would seem
best to just uninstall these. But, I'd also like to be sure they're really ununsed.
The only tool I've been able to find to check dependencies is "equery depends" (which,
strangely enough, the man page says is unimplemented, but the gentoolkit page
(http://www.gentoo.org/doc/en/gentoolkit.xml) quite happily recommends using). I tested it
on some packages that are clearly needed (mysql, php) and it did find dependecies. So, the
fact that it doesn't report anything for all these packages that should mean they're okay
to remove, right?
Well, I guess there is another dependency tool: emerge --depclean. But this seems
completely whack: it finds 58 packages to delete. A number of these are java libraries
(commons-logging, jdepend, etc.) that I may not need (but may want at some point), but
also includes ant, which I would think most java apps would need. It also says I don't
need ncompress, but equery depends said that tar needs ncompress! It would suck to break
tar. And it also says I don't need glib!!!! So, in short, emerge --depclean seems as
dangerous as they say... and therefore basically useless in my opinion.
Anyway, sorry this is so long... any thoughts and ideas on how to keep your system clean
are welcome.
b
--
[email protected] mailing list
