On Samstag, 17. Februar 2007, Duncan wrote:
> Question: With the old library still around, will
revdep-rebuild even try
> to rebuild anything linked against it? Maybe I'm
wrong, but I thought it
> would only rebuild when the library was actually
missing. (There's also a
> hint of that in another comment, but maybe I'm reading
that wrong as well.)
The question isn't so much, if revdep-rebuild picks it up,
the problem from my
POV is that the information to rebuild against the new
library shows up only
once via ewarn in pkg_postinst and unexperienced users may
not have
configured elog facility and may miss to see the emerge
output scrolling by,
so the library and everything built against it remains as it
is.
Therefore I consider the preserve-libs functionality one of
the biggest
security threats for Gentoo users. You may dismiss this,
saying the problem
sits in front of the keyboard, but I'm telling you this is
careless and that
we can do better:
echo "/path/to/preserved.so" >>
/var/lib/portage/preserved_libs
stores the libraries, and Portage can each time emerge is
run look up, if the
file lists libraries, check, if those exist, if not remove
the lines or
otherwise warn the user about the possibly vulnerable
libraries and tell him
what to do.
Simple solution at low cost. Fine with this idea?
Carsten
--
gentoo-portage-dev gentoo.org mailing list
|
