Re: [gentoo-dev] EAPI 2 policy for portage tree

["Jan Kundrát" <jkt@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 1390 bytes --]

Jean-Marc Hengen wrote:
> tree and my policies (more precisely: I can't keep current stable 
> portage and cmake-2.6.2). My solution to the problem, was to copy the 
> ebuild in /var/db/pkg to my local overlay and I'm fine with it for now. 
> The drawback of this workaround is, I could miss important fixes, like 
> security fixes.

[snip]

> the cmake-2.6.2 ebuild. This has the advantage, that people with a setup 
> like mine can continue to use, what they already use and work on the 
> cmake ebuild can continue in the new revision. If the new revision fixes 
> a security issue, one can mask the old version, with a message with bug 
> telling this.

Just FYI, there's no difference -- when you've chosen to use the ~arch 
version, you *have* to follow any updates to it as soon as possible if 
you want to be reasonably sure you aren't affected by a security bug, as 
our security team doesn't issue GLSAs for ~arch packages. Sticking with 
a version that works for you doesn't mean you're somehow protected form 
security bugs.

So to put this into perspective with cmake -- if there was a security 
bug in current version (which you'd keep as you don't want to upgrade 
Portage) and the fix for this bug would be using EAPI=2 (which is not an 
unrealistic situation), you'd be affected.

Cheers,
-jkt

-- 
cd /local/pub && more beer > /dev/mouth


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]