[Nottingham] Gentoo portage tips
Robert Davies
nottingham at mailman.lug.org.uk
Mon Sep 1 13:01:01 2003
On Monday 01 Sep 2003 12:19, Roger Light wrote:
> >2) Upgrade all security critical updates
> >
> >A weakness of portage was that packages installed to fulfill dependancies,
> >might not get updated after security alerts, unless you specifically have
> >emerged them.
>
> I believe that adding -D or --deep to the options will do this. You'd best
> look at the man page because I'm not *entirely* sure that it is doing what
> you want.
No, that option additionally recursively checks the dependancies of the
dependancies, but as stated before, the package you installed is perfectly
happy with the old vulnerable package version.
Portage could have some sort of pseudo-target, called something like 'secure',
which forces updates of known vulnerable packages by depending on them. I
think I saw the suggestion in the Gentoo forums (or Bugzilla) when I looked
into it before. Even that needs some special support, so it can update a
dependancy, if and only if it's already installed. Obviously if nothing
else depends on the vulnerable package, a good solution might be to remove it
completely.
Before what I did was lash up a script that generated a temporary world file,
with *all* the packages in it, but that updates absolutely everything, rather
than be selective about bug-fixes and vulnerabilities.
Rob