Thanks for the insight re. broken dependencies! I'm not looking for any fire and forget solutions, just trying to get the a good understanding of the issues. When you say that you checked each package by hand, what were you checking with? I (obviously) don't know how to tell if a given program/package is affected in such as way as to require being recompiled after any given update.
Thanks! -jto > -----Original Message----- > From: MAL [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 08, 2003 9:57 AM > To: [EMAIL PROTECTED] > Subject: Re: [gentoo-user] Upgrading OpenSSL > > > Joel Osburn wrote: > > files jtosburn # revdep-rebuild --help > > Usage: /usr/bin/revdep-rebuild [OPTIONS] [--] [EMERGE_OPTIONS] > > > > Broken reverse dependency rebuilder. > > > ... > > > > If the developers think it's broken, then I wouldn't trust > it, and I'm > > not sure that it does what I'm looking for, anyway. > > heheh, it's not broken... it is a [database] rebuilder for broken > reverse dependencies. > > > So the question remains: how the heck do you know what needs to be > > recompiled after any given (particularly security-realted) > update? How > > many people are still running a mod_ssl that was compiled with a > > vulnerable openssl; sure they read the GLSA's and knew to update > > openssl, but nothing was said about anything that is > statically linked > > to it. I don't expect that the devels would ever list every program > > possibly affected by a GLSA, but there ought o be a way for > admins and > > users to figure out what's what on their systems. > > Quite simply, if you're running a system that is that security > conscious, (webserver, etc), you should know what is on your > system and > be prepared for things like this. Personally I did a qpkg -I -q > openssl, then checked those programs out by hand, (tho there > was nothing > there I didn't expect... mail server, openssh, mod_ssl, wget, > mod_php, > etc.), all of which needed restarting in some fashion anyway. > > Security updates aren't a fire and forget thing, irrelevant of how > hand-holding the package system is. Just be happy that qpkg > -q exists > at all, and stay vigilant :) > > MAL > > > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list
