On Tuesday 15 May 2007, Carsten Lohrke wrote: > On Dienstag, 15. Mai 2007, Caleb Tennis wrote: > > I just read the bug, but I don't see any compelling reason against using > > the preserve_old stuff. > > The big problem with it is that we do not store information about retained > libraries and let portage throw warnings. When people miss such a post > install message, the library potentially remains forever in the system, not > unlikely with seldom updated stuff linking against it. As soon as a > vulnerability is popping up, the system is vulnerable, remains vulnerable > and its owner assumes everything is fine.
not really every merge will continue to warn about the library still being on the system the only things that will be vuln are things that were not rebuilt -- but that would be because the user did not run revdep-rebuild you could also make the case that people who dont reboot their system would remain vuln as the broken lib would stay in memory -- it isnt uncommon for me to have a KDE system running for months w/out even logging out -mike
signature.asc
Description: This is a digitally signed message part.
