On Samstag, 17. Februar 2007, Duncan wrote: > Question: With the old library still around, will revdep-rebuild even try > to rebuild anything linked against it? Maybe I'm wrong, but I thought it > would only rebuild when the library was actually missing. (There's also a > hint of that in another comment, but maybe I'm reading that wrong as well.)
The question isn't so much, if revdep-rebuild picks it up, the problem from my POV is that the information to rebuild against the new library shows up only once via ewarn in pkg_postinst and unexperienced users may not have configured elog facility and may miss to see the emerge output scrolling by, so the library and everything built against it remains as it is. Therefore I consider the preserve-libs functionality one of the biggest security threats for Gentoo users. You may dismiss this, saying the problem sits in front of the keyboard, but I'm telling you this is careless and that we can do better: echo "/path/to/preserved.so" >> /var/lib/portage/preserved_libs stores the libraries, and Portage can each time emerge is run look up, if the file lists libraries, check, if those exist, if not remove the lines or otherwise warn the user about the possibly vulnerable libraries and tell him what to do. Simple solution at low cost. Fine with this idea? Carsten -- gentoo-portage-dev@gentoo.org mailing list
