Re: [gentoo-dev] Build dependencies and upgrades.
On 10/11/2011 10:59 PM, Graham Murray wrote: Zac Medico zmed...@gentoo.org writes: On 10/11/2011 10:28 PM, Mike Gilbert wrote: Francisco raised a possibly valid point in his original message: though packages may not be currently used for anything, but they could contain un-patched security flaws. If they contain something that's accessed at runtime, then they should be in RDEPEND or PDEPEND, no exceptions. But is it not possible that the flaw in the build-time dependency causes an insecurity to be built into the dependent package and that both have to be rebuilt as part of the security fix? For statically linked libraries, yes. However, --with-bdeps=y alone won't help you with that. You'll also have to enable --rebuild-if-new-rev=y in order to automatically rebuild the reverse dependencies of the statically-linked library. -- Thanks, Zac
[gentoo-dev] Build dependencies and upgrades.
Hi, Today I have found that build dependencies are left in the system but won't be upgraded when running emerge -vauD1 world. This can be inconvenient since security issues fixed in those left over packages won't be applied properly. So, is there any reason for this behaviour? Shouldn't build dependencies either be cleaned with --depclean after building or be upgraded to avoid possible issues? Sorry if this gets in here twice, I used an incorrect account. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Build dependencies and upgrades.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote: Hi, Today I have found that build dependencies are left in the system but won't be upgraded when running emerge -vauD1 world. This can be inconvenient since security issues fixed in those left over packages won't be applied properly. So, is there any reason for this behaviour? Shouldn't build dependencies either be cleaned with --depclean after building or be upgraded to avoid possible issues? Sorry if this gets in here twice, I used an incorrect account. Maybe you want the --with-bdeps parameter along with the -D one?. man emerge - section Options - parameter -D - -- Regards, Markos Chandras / Gentoo Linux Developer / Key ID: B4AFF2C2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (GNU/Linux) iQIcBAEBCgAGBQJOlJEGAAoJEPqDWhW0r/LCy6UQALS8TZ9h4fOIpO+5f0iicpyK NWbbsAC5ylv/El0Pxw4d4LxCQheaShjiUg7GzEU27Iurry14JWwQZbcZYvzNEeC6 DY7kG5xtDxb0U0jwueMvZON7MynjtLUdomYCiJ+b4ZiM32FDoiLLoBUVRbL9HD6P Fk1TU4zmV/0FmEO29L1Aem7UesQlNLpp1+Jj6YFynCGyMSAW657Leb/5NOLgApF3 w+qFR0V61jyBiIPcK6YRx0tGwSD4D6pgMSAjaE8DYGZPLT8jhsO4WV18L+NWAz+F o3Oas8oAVr7g1s7T+0OLqWuF8EjzVxQkJ9zsoe9Px6Z99qb2QRNag5sZzKZk+y3h c69tyysZpmrlpWsX3qoLJzbRFX6T4L5m3Q/1BLrj6Z+pf+UGrceHOcxaLTtvk7Fq TI/apU+uPiAnEXQVvLU2L/5190h4i3s89HwekPKytwaeTmP2jJhdlAWiZmkLyAae Vo7C19w841VZQvQKgxS3YY0tjN0ZXSm8I91FuXqrd3ZGP2Nxq5SLCH6Si8TA14OY twb+CBSROT5VEXvsZ0yEKN4bRZcDnCW3fD/7XkBnmRQcVkwJ4C1LcWXjolYfVjhQ hDWF4gZQhsM74Bf+SfxJ6MlrVOaI+l17UdQvR2XXqTW91CwG9UIL4OMUPu3i3hbS aAxdeFATnlKtNcTCYgyY =i2I1 -END PGP SIGNATURE-
Re: [gentoo-dev] Build dependencies and upgrades.
El 11/10/11 20:55, Markos Chandras escribió: On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote: Hi, Today I have found that build dependencies are left in the system but won't be upgraded when running emerge -vauD1 world. This can be inconvenient since security issues fixed in those left over packages won't be applied properly. So, is there any reason for this behaviour? Shouldn't build dependencies either be cleaned with --depclean after building or be upgraded to avoid possible issues? Sorry if this gets in here twice, I used an incorrect account. Maybe you want the --with-bdeps parameter along with the -D one?. man emerge - section Options - parameter -D That makes sense but then the problem is on the poor documentation we have in the Internet. http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2chap=1 Here no mention to that option is made Nor is in: http://www.gentoo.org/doc/en/gentoo-upgrading.xml And in fact no mention to the option is made in the doc space at all. I may also be wrong here but I don't recall finding it when I started with portage and no notice was issued since then so either I misunderstood it, kinda likely by then, or it was added later. And the fact it wasn't commented at all in the documentation didn't help. The question now is anybody thinks this shouldn't appear in the handbook? If nobody has a problem I'll prepare a patch. PS: howarang thanks for the point I found it really odd this was missing. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Build dependencies and upgrades.
On Tue, Oct 11, 2011 at 12:23 PM, Francisco Blas Izquierdo Riera (klondike) klond...@gentoo.org wrote: El 11/10/11 20:55, Markos Chandras escribió: On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote: Hi, Today I have found that build dependencies are left in the system but won't be upgraded when running emerge -vauD1 world. This can be inconvenient since security issues fixed in those left over packages won't be applied properly. So, is there any reason for this behaviour? Shouldn't build dependencies either be cleaned with --depclean after building or be upgraded to avoid possible issues? Sorry if this gets in here twice, I used an incorrect account. Maybe you want the --with-bdeps parameter along with the -D one?. man emerge - section Options - parameter -D That makes sense but then the problem is on the poor documentation we have in the Internet. http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2chap=1 Here no mention to that option is made Nor is in: http://www.gentoo.org/doc/en/gentoo-upgrading.xml And in fact no mention to the option is made in the doc space at all. I may also be wrong here but I don't recall finding it when I started with portage and no notice was issued since then so either I misunderstood it, kinda likely by then, or it was added later. And the fact it wasn't commented at all in the documentation didn't help. The question now is anybody thinks this shouldn't appear in the handbook? If nobody has a problem I'll prepare a patch. PS: howarang thanks for the point I found it really odd this was missing. FYI: there are a truckload of options that are available in portage but are not documented in the handbook. I'm not really sure replicating the portage manpages in the handbook is necessarily a good way to move forward. Ideally we would direct users to just read the manpages. -A
Re: [gentoo-dev] Build dependencies and upgrades.
On Tue, 11 Oct 2011 12:36:15 -0700 Alec Warner anta...@gentoo.org wrote: On Tue, Oct 11, 2011 at 12:23 PM, Francisco Blas Izquierdo Riera (klondike) klond...@gentoo.org wrote: El 11/10/11 20:55, Markos Chandras escribió: On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote: Hi, Today I have found that build dependencies are left in the system but won't be upgraded when running emerge -vauD1 world. This can be inconvenient since security issues fixed in those left over packages won't be applied properly. So, is there any reason for this behaviour? Shouldn't build dependencies either be cleaned with --depclean after building or be upgraded to avoid possible issues? Sorry if this gets in here twice, I used an incorrect account. Maybe you want the --with-bdeps parameter along with the -D one?. man emerge - section Options - parameter -D That makes sense but then the problem is on the poor documentation we have in the Internet. http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2chap=1 Here no mention to that option is made Nor is in: http://www.gentoo.org/doc/en/gentoo-upgrading.xml And in fact no mention to the option is made in the doc space at all. I may also be wrong here but I don't recall finding it when I started with portage and no notice was issued since then so either I misunderstood it, kinda likely by then, or it was added later. And the fact it wasn't commented at all in the documentation didn't help. The question now is anybody thinks this shouldn't appear in the handbook? If nobody has a problem I'll prepare a patch. PS: howarang thanks for the point I found it really odd this was missing. FYI: there are a truckload of options that are available in portage but are not documented in the handbook. I'm not really sure replicating the portage manpages in the handbook is necessarily a good way to move forward. Ideally we would direct users to just read the manpages. Or go with a saner defaults... -- Best regards, Michał Górny signature.asc Description: PGP signature
Re: [gentoo-dev] Build dependencies and upgrades.
El 11/10/11 21:36, Alec Warner escribió: On Tue, Oct 11, 2011 at 12:23 PM, Francisco Blas Izquierdo Riera (klondike) klond...@gentoo.org wrote: El 11/10/11 20:55, Markos Chandras escribió: On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote: Hi, Today I have found that build dependencies are left in the system but won't be upgraded when running emerge -vauD1 world. This can be inconvenient since security issues fixed in those left over packages won't be applied properly. So, is there any reason for this behaviour? Shouldn't build dependencies either be cleaned with --depclean after building or be upgraded to avoid possible issues? Sorry if this gets in here twice, I used an incorrect account. Maybe you want the --with-bdeps parameter along with the -D one?. man emerge - section Options - parameter -D That makes sense but then the problem is on the poor documentation we have in the Internet. http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2chap=1 Here no mention to that option is made Nor is in: http://www.gentoo.org/doc/en/gentoo-upgrading.xml And in fact no mention to the option is made in the doc space at all. I may also be wrong here but I don't recall finding it when I started with portage and no notice was issued since then so either I misunderstood it, kinda likely by then, or it was added later. And the fact it wasn't commented at all in the documentation didn't help. The question now is anybody thinks this shouldn't appear in the handbook? If nobody has a problem I'll prepare a patch. PS: howarang thanks for the point I found it really odd this was missing. FYI: there are a truckload of options that are available in portage but are not documented in the handbook. I'm not really sure replicating the portage manpages in the handbook is necessarily a good way to move forward. Ideally we would direct users to just read the manpages. Antarus, an user who has read the whole installation handbook and is new to the distro should by then have a lot of new ideas in mind to direct them to man pages written in a more technical way creating even more confusion. Add to to that any search on how to update / upgrade Gentoo and you will find the same set of commands almost always: $ emerge -u world $ emerge -uD world With no references to other parameters at all. Which can make users assume that it is a safe default. If you look in the docs I provided you'll see it is the case. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Build dependencies and upgrades.
On Tue, Oct 11, 2011 at 2:50 PM, Francisco Blas Izquierdo Riera (klondike) klond...@gentoo.org wrote: So, is there any reason for this behaviour? Shouldn't build dependencies either be cleaned with --depclean after building or be upgraded to avoid possible issues? I agree: with-bdeps should either default to y or n across the board. I understand the idea behind turning it on for depclean to reduce the amount uninstalls/re-installs, but I think that really just introduces more confusion than the time savings is worth.
Re: [gentoo-dev] Build dependencies and upgrades.
On 10/11/2011 11:50 AM, Francisco Blas Izquierdo Riera (klondike) wrote: Hi, Today I have found that build dependencies are left in the system but won't be upgraded when running emerge -vauD1 world. This can be inconvenient since security issues fixed in those left over packages won't be applied properly. So, is there any reason for this behaviour? 1) It's a waste of time to build/update packages that won't be used for anything. That's what --with-bdeps=y. If you plan to use these packages for something, then you should add them to world or add --with-bdeps=y to EMERGE_DEFAULT_OPTS so that they'll update automatically. 2) Aside from being a waste of resources, if we enabled --with-bdeps=y by default for update actions then to would cause unwanted results for people who use binary packages and don't expect the build-time deps to get pulled in. Shouldn't build dependencies either be cleaned with --depclean after building This is another waste of resources, since you'll have to install them again the next time that you need them. However, you are free to use --with-bdeps=n with --depclean if it suits you. One size does not fit all, so that's why we have options. or be upgraded to avoid possible issues? Again, if you plan to use these packages for something, then you should add them to world or add --with-bdeps=y to EMERGE_DEFAULT_OPTS so that they'll update automatically. Again, you've got choices and what suits you doesn't necessarily suit everyone else. Personally, I like to set EMERGE_DEFAULT_OPTS=--with-bdeps=y because like to know that all the build deps are at their latest versions in case I decide to rebuild some random package. -- Thanks, Zac
Re: [gentoo-dev] Build dependencies and upgrades.
On 10/11/2011 02:04 PM, Mike Gilbert wrote: On Tue, Oct 11, 2011 at 2:50 PM, Francisco Blas Izquierdo Riera (klondike) klond...@gentoo.org wrote: So, is there any reason for this behaviour? Shouldn't build dependencies either be cleaned with --depclean after building or be upgraded to avoid possible issues? I agree: with-bdeps should either default to y or n across the board. I understand the idea behind turning it on for depclean to reduce the amount uninstalls/re-installs, but I think that really just introduces more confusion than the time savings is worth. Changing defaults is also confusing. Changing defaults to values that are the opposite of what most people want is even more confusing. I think the existing defaults are fine. If people are confused by them, then I think they just need some documentation to clarify the reasons for the existing defaults. -- Thanks, Zac
Re: [gentoo-dev] Build dependencies and upgrades.
On 10/11/2011 12:56 PM, Michał Górny wrote: Or go with a saner defaults... So, are any of the following sane? 1) Pull in updates for packages even though those packages won't be used for anything. 2) Pull in build-time dependencies for packages that are already built, even though no portage version has ever done this before by default. 3) Make depclean remove build-time dependencies by default, only to have the rebuilt/installed the next time that the system is updated. -- Thanks, Zac
Re: [gentoo-dev] Build dependencies and upgrades.
On 10/12/2011 12:54 AM, Zac Medico wrote: On 10/11/2011 12:56 PM, Michał Górny wrote: Or go with a saner defaults... So, are any of the following sane? 1) Pull in updates for packages even though those packages won't be used for anything. Francisco raised a possibly valid point in his original message: though packages may not be currently used for anything, but they could contain un-patched security flaws. This seems pretty unlikely to me given the sorts of packages that are build-time-only deps, but it could be possible. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Build dependencies and upgrades.
On 10/11/2011 10:28 PM, Mike Gilbert wrote: On 10/12/2011 12:54 AM, Zac Medico wrote: On 10/11/2011 12:56 PM, Michał Górny wrote: Or go with a saner defaults... So, are any of the following sane? 1) Pull in updates for packages even though those packages won't be used for anything. Francisco raised a possibly valid point in his original message: though packages may not be currently used for anything, but they could contain un-patched security flaws. If they contain something that's accessed at runtime, then they should be in RDEPEND or PDEPEND, no exceptions. This seems pretty unlikely to me given the sorts of packages that are build-time-only deps, but it could be possible. We can try to split up people who care about this into categories: 1) People who are security conscious or just plain paranoid can set EMERGE_DEFAULT_OPTS=--with-bdeps=y to ease their minds. 2) People who want all build-time deps up to date at all times, in case they decide to rebuild something on a whim, can set EMERGE_DEFAULT_OPTS=--with-bdeps=y to keep everything up to date. This is what I do. 3) People who think they might use a particular package and want to ensure that it's the latest version can add that package to the world file. They can look for possible candidates in the output of `emerge --pretend --depclean --with-bdeps=n`. -- Thanks, Zac
Re: [gentoo-dev] Build dependencies and upgrades.
Zac Medico zmed...@gentoo.org writes: On 10/11/2011 10:28 PM, Mike Gilbert wrote: Francisco raised a possibly valid point in his original message: though packages may not be currently used for anything, but they could contain un-patched security flaws. If they contain something that's accessed at runtime, then they should be in RDEPEND or PDEPEND, no exceptions. But is it not possible that the flaw in the build-time dependency causes an insecurity to be built into the dependent package and that both have to be rebuilt as part of the security fix?
