Hi! On Mon, Sep 12, 2005 at 06:52:31PM +0100, Ian P. Christian wrote: > The man page does cover this, but it's by no means made obvious - and I think > this is rather a large issue, as a log of users of gentoo probably don't know > this.
Yep. :( And there exists some things which probably (was?) not covered by manuals - I've spend a lot of time reading forums to make clear how to use portage in SAFE way. I've summarized this information and post in forum, but, sorry, it's in russian - I've no time to translate it now. It's available here: http://gentoo.ru/node/193 (if somebody wanna translate). In short, to update system in __SAFE__ way: 1. Check /var/lib/portage/world: - it shouldn't contain any libraries and software which YOU don't need and which is just dependent by some other packages - it shouldn't contain packages which are in 'system' - is shouldn't contain packages with version/revision number 2. Check /etc/portage/* files because they can contain non-actual things which prevent you upgrade in right way now. 3. Rarely, but profile update may be needed (usually when old profile become deprecated or when switching to hardened, etc.). 4. USE flags for some packages may be changed. To detect this, run emerge -uDNpv world and review flags for all critical (for you) packages. 5. If none from toolchain (linux-headers, glibc, binutils, gcc) packages wanna upgrade then just run emerge -uDNav world else things become more complicated because for a number of reasons it's good idea to recompile all system in this way: # clean $pkgdir in some way to optimize compilation speed by # building/using binary packages: pkgdir=$(portageq pkgdir) mv $pkgdir /tmp/portage-packages install -d -o portage -g portage $pkgdir # compile toolchain: first pass emerge linux-headers glibc binutils gcc-config gcc # select new gcc if it was installed in new SLOT gcc-config ... source /etc/profile # compile toolchain: second pass + make binary packages emerge -b glibc binutils gcc portage # recompile system (toolchain used from binary packages to save time) emerge -bke system # recompile world (system used from binary packages to save time) emerge -ke world 6. Even after this there may exists not updated packages with security holes (in SLOTs), so: glsa-check -l | grep '\[N\]' emerge ... # manually update needed packages 7. Remove unneeded dependencies: emerge -a depclean emerge -uDNav world # fix possible errors in depclean 8. After updating libraries there may be needed to recompile something: rm /root/.revdep-rebuild*.?_* revdep-rebuild 9. Update config files: dispatch-conf 10. While updating package some ebuilds print important information (which is lost which batch update, of course). To review this information you need `enotice` or `portlog-info` tools. 11. ... Joke! That's all, folks! :-)) Of course, not all these steps needed every day, but ... Anyway, without manual actions and a lot of attention it's impossible to update system in safe way. This isn't Gentoo problem, of course, same issues exists in other distributions, but they are mostly hidden and hit you when you don't expect. :( -- WBR, Alex.
pgp0NnRjToBA2.pgp
Description: PGP signature
