Ian,
I was just going on about a similar concern to yours and Chris Schwerdt replied just this
morning with this:
<snip>
Give unclepine a try (unclepine -u).
http://forums.gentoo.org/viewtopic.php?t=260866
</snip>
I tried it out and it seems to work pretty well. The author claims that equery depends
isn't very reliable. I tried unclepine with glib -- which "emerge --depclean" said it
wanted to remove, but "equery depends" said is depended on by a bunch of packages -- and
it says glib is not depended on by anything. Go figure.
I agree that there are definitely some rough spots in portage (though you should switch to
FreeBSD and see how much of a mess the Ports system is in comparison). I've been using
gentoo for a couple years and I just figured out the stuff about packages not getting
updated if it's not in the world file.
Oh, by the way emerge -uD world will update dependencies of everything in the world file,
even if there not in the world file themselves... it's the stuff that gets emerged and
then stops being a dependency of something else that's the problem. Although, I suppose
one could make the weak argument that, if a package is no longer a dependency of anything,
it's probably not going to be exercised. Still, it seems this would be pretty simple to
solve if there were an "emerge *", that checked every package on your machine for an update.
b
PS: just before I sent this I had a hunch and tried "equery depends glibc"... it has the
same output as "equery depends glib". So, that was just a lack of specificity on my
part... though equery really should squawk if a pkg is not specific enough (or not found).
If I try "equery depends dev-libs/glib" it comes back with no dependencies.
Ian P. Christian wrote:
I've recently been spending some time getting to know a little more about
portage, and I've run into a few issues.
$ emerge --update --deep --newuse world
It's reasonably well known that the above doesn't update all packages
installed on a system - I think it only updates packages that are in the
world file. Recently, this issue has left a server of mine with a insecure
version of apache (apache was installed due to a dependency caused by PHP, or
some application I installed that pulled in php, which in turn pulled in
apache.).
The man page does cover this, but it's by no means made obvious - and I think
this is rather a large issue, as a log of users of gentoo probably don't know
this.
From the manual:
"When you install a package with uninstalled dependencies and do not
explicitly state those dependencies in the list of parameters, they will not
be added to the world file. If you want them to be detected for world
updates, make sure to explicitly list them as parameters to emerge."
It should have a big WARNING or something next to it IMO.
emerge --depclean will point out what isn't in your world file for you, so you
can go ahead and add things to the world file manually. Having done this,
when you uninstall whatever it was that dragged that dependency in in the
first place, you will get unneeed packages on the system.
Lets say for examples sake I install mail-client/squirrelmail. This will pull
in PHP, which will pull in apache. In this case, -uD will not update apache
should a new version appear. An emerge --depclean will show apache as being
removable- so apache will need manually adding to the world file. Now, when
I uninstall squirrrelmail, apache is no longer needed, but depclean won't
show that, because I was forced to add it to the world file. In a lot of
situations, the package might be a lot more obscure, perhaps some odd
libraries which now are in the world file, and will stay there, because
unless I manually look though the world file, and run an 'equery depends' on
each one, I won't notice they are no longer needed.
So it seems that I either suffer packages not being updated, or am forced into
adding things into the world file and then face the problem that dependencies
will not be removable by depclean.
Also, I don't understand why emerge --depclean will show a package, which upon
doing an 'equery depends' on that package will show that actaully that
package is needed. Why do these tools contradict each other? Surly depclean
should have the logic that equery uses to see when a dependency really is
needed?
glsa-check goes some way to solving the problem, it does check to see if there
are outdated packages that have been effected by security issues - but it
doens't update libraries that were installed but aren't in the world file.
Is there a script that's been developed to be cronned to email the sys admin a
report saying what packages need updating? I noticed that in the last month
on this list there has been some useful information about running glsa-check
and rsynicng just part of the portage tree. This kind of thing is intregal to
running a server, and if no such script exists in the portage tree, I will
attempt to write one.
Kind Regards,
--
[email protected] mailing list
