public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] Build dependencies and upgrades.
@ 2011-10-11 18:50 Francisco Blas Izquierdo Riera (klondike)
  2011-10-11 18:55 ` Markos Chandras
                   ` (3 more replies)
  0 siblings, 4 replies; 30+ messages in thread
From: Francisco Blas Izquierdo Riera (klondike) @ 2011-10-11 18:50 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

Hi,

Today I have found that build dependencies are left in the system but
won't be upgraded when running emerge -vauD1 world.
This can be inconvenient since security issues fixed in those left over
packages won't be applied properly.
So, is there any reason for this behaviour? Shouldn't build dependencies
either be cleaned with --depclean after building or be upgraded to avoid
possible issues?

Sorry if this gets in here twice, I used an incorrect account.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-11 18:50 [gentoo-dev] Build dependencies and upgrades Francisco Blas Izquierdo Riera (klondike)
@ 2011-10-11 18:55 ` Markos Chandras
  2011-10-11 19:23   ` Francisco Blas Izquierdo Riera (klondike)
  2011-10-11 21:04 ` Mike Gilbert
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 30+ messages in thread
From: Markos Chandras @ 2011-10-11 18:55 UTC (permalink / raw
  To: gentoo-dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote:
> Hi,
> 
> Today I have found that build dependencies are left in the system
> but won't be upgraded when running emerge -vauD1 world. This can be
> inconvenient since security issues fixed in those left over 
> packages won't be applied properly. So, is there any reason for
> this behaviour? Shouldn't build dependencies either be cleaned with
> --depclean after building or be upgraded to avoid possible issues?
> 
> Sorry if this gets in here twice, I used an incorrect account.
> 
> 
Maybe you want the --with-bdeps parameter along with the -D one?. man
emerge -> section Options -> parameter -D

- -- 
Regards,
Markos Chandras / Gentoo Linux Developer / Key ID: B4AFF2C2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)

iQIcBAEBCgAGBQJOlJEGAAoJEPqDWhW0r/LCy6UQALS8TZ9h4fOIpO+5f0iicpyK
NWbbsAC5ylv/El0Pxw4d4LxCQheaShjiUg7GzEU27Iurry14JWwQZbcZYvzNEeC6
DY7kG5xtDxb0U0jwueMvZON7MynjtLUdomYCiJ+b4ZiM32FDoiLLoBUVRbL9HD6P
Fk1TU4zmV/0FmEO29L1Aem7UesQlNLpp1+Jj6YFynCGyMSAW657Leb/5NOLgApF3
w+qFR0V61jyBiIPcK6YRx0tGwSD4D6pgMSAjaE8DYGZPLT8jhsO4WV18L+NWAz+F
o3Oas8oAVr7g1s7T+0OLqWuF8EjzVxQkJ9zsoe9Px6Z99qb2QRNag5sZzKZk+y3h
c69tyysZpmrlpWsX3qoLJzbRFX6T4L5m3Q/1BLrj6Z+pf+UGrceHOcxaLTtvk7Fq
TI/apU+uPiAnEXQVvLU2L/5190h4i3s89HwekPKytwaeTmP2jJhdlAWiZmkLyAae
Vo7C19w841VZQvQKgxS3YY0tjN0ZXSm8I91FuXqrd3ZGP2Nxq5SLCH6Si8TA14OY
twb+CBSROT5VEXvsZ0yEKN4bRZcDnCW3fD/7XkBnmRQcVkwJ4C1LcWXjolYfVjhQ
hDWF4gZQhsM74Bf+SfxJ6MlrVOaI+l17UdQvR2XXqTW91CwG9UIL4OMUPu3i3hbS
aAxdeFATnlKtNcTCYgyY
=i2I1
-----END PGP SIGNATURE-----



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-11 18:55 ` Markos Chandras
@ 2011-10-11 19:23   ` Francisco Blas Izquierdo Riera (klondike)
  2011-10-11 19:36     ` Alec Warner
  0 siblings, 1 reply; 30+ messages in thread
From: Francisco Blas Izquierdo Riera (klondike) @ 2011-10-11 19:23 UTC (permalink / raw
  To: gentoo-dev, gentoo-doc

[-- Attachment #1: Type: text/plain, Size: 1563 bytes --]

El 11/10/11 20:55, Markos Chandras escribió:
> On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote:
> > Hi,
>
> > Today I have found that build dependencies are left in the system
> > but won't be upgraded when running emerge -vauD1 world. This can be
> > inconvenient since security issues fixed in those left over
> > packages won't be applied properly. So, is there any reason for
> > this behaviour? Shouldn't build dependencies either be cleaned with
> > --depclean after building or be upgraded to avoid possible issues?
>
> > Sorry if this gets in here twice, I used an incorrect account.
>
>
> Maybe you want the --with-bdeps parameter along with the -D one?. man
> emerge -> section Options -> parameter -D
That makes sense but then the problem is on the poor documentation we
have in the Internet.
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=1
Here no mention to that option is made
Nor is in:
http://www.gentoo.org/doc/en/gentoo-upgrading.xml

And in fact no mention to the option is made in the doc space at all. I
may also be wrong here but I don't recall finding it when I started with
portage and no notice was issued since then so either I misunderstood
it, kinda likely by then, or it was added later. And the fact it wasn't
commented at all in the documentation didn't help.

The question now is anybody thinks this shouldn't appear in the
handbook? If nobody has a problem I'll prepare a patch.

PS: howarang thanks for the point I found it really odd this was missing.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-11 19:23   ` Francisco Blas Izquierdo Riera (klondike)
@ 2011-10-11 19:36     ` Alec Warner
  2011-10-11 19:56       ` Michał Górny
  2011-10-11 20:07       ` Francisco Blas Izquierdo Riera (klondike)
  0 siblings, 2 replies; 30+ messages in thread
From: Alec Warner @ 2011-10-11 19:36 UTC (permalink / raw
  To: gentoo-dev; +Cc: gentoo-doc

On Tue, Oct 11, 2011 at 12:23 PM, Francisco Blas Izquierdo Riera
(klondike) <klondike@gentoo.org> wrote:
> El 11/10/11 20:55, Markos Chandras escribió:
>> On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote:
>> > Hi,
>>
>> > Today I have found that build dependencies are left in the system
>> > but won't be upgraded when running emerge -vauD1 world. This can be
>> > inconvenient since security issues fixed in those left over
>> > packages won't be applied properly. So, is there any reason for
>> > this behaviour? Shouldn't build dependencies either be cleaned with
>> > --depclean after building or be upgraded to avoid possible issues?
>>
>> > Sorry if this gets in here twice, I used an incorrect account.
>>
>>
>> Maybe you want the --with-bdeps parameter along with the -D one?. man
>> emerge -> section Options -> parameter -D
> That makes sense but then the problem is on the poor documentation we
> have in the Internet.
> http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=1
> Here no mention to that option is made
> Nor is in:
> http://www.gentoo.org/doc/en/gentoo-upgrading.xml
>
> And in fact no mention to the option is made in the doc space at all. I
> may also be wrong here but I don't recall finding it when I started with
> portage and no notice was issued since then so either I misunderstood
> it, kinda likely by then, or it was added later. And the fact it wasn't
> commented at all in the documentation didn't help.
>
> The question now is anybody thinks this shouldn't appear in the
> handbook? If nobody has a problem I'll prepare a patch.
>
> PS: howarang thanks for the point I found it really odd this was missing.
>
>

FYI: there are a truckload of options that are available in portage
but are not documented in the handbook. I'm not really sure
replicating the portage manpages in the handbook is necessarily a good
way to move forward. Ideally we would direct users to just read the
manpages.

-A



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-11 19:36     ` Alec Warner
@ 2011-10-11 19:56       ` Michał Górny
  2011-10-12  4:54         ` Zac Medico
  2011-10-11 20:07       ` Francisco Blas Izquierdo Riera (klondike)
  1 sibling, 1 reply; 30+ messages in thread
From: Michał Górny @ 2011-10-11 19:56 UTC (permalink / raw
  To: gentoo-dev; +Cc: antarus, gentoo-doc

[-- Attachment #1: Type: text/plain, Size: 2261 bytes --]

On Tue, 11 Oct 2011 12:36:15 -0700
Alec Warner <antarus@gentoo.org> wrote:

> On Tue, Oct 11, 2011 at 12:23 PM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
> > El 11/10/11 20:55, Markos Chandras escribió:
> >> On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote:
> >> > Hi,
> >>
> >> > Today I have found that build dependencies are left in the system
> >> > but won't be upgraded when running emerge -vauD1 world. This can
> >> > be inconvenient since security issues fixed in those left over
> >> > packages won't be applied properly. So, is there any reason for
> >> > this behaviour? Shouldn't build dependencies either be cleaned
> >> > with --depclean after building or be upgraded to avoid possible
> >> > issues?
> >>
> >> > Sorry if this gets in here twice, I used an incorrect account.
> >>
> >>
> >> Maybe you want the --with-bdeps parameter along with the -D one?.
> >> man emerge -> section Options -> parameter -D
> > That makes sense but then the problem is on the poor documentation
> > we have in the Internet.
> > http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=1
> > Here no mention to that option is made
> > Nor is in:
> > http://www.gentoo.org/doc/en/gentoo-upgrading.xml
> >
> > And in fact no mention to the option is made in the doc space at
> > all. I may also be wrong here but I don't recall finding it when I
> > started with portage and no notice was issued since then so either
> > I misunderstood it, kinda likely by then, or it was added later.
> > And the fact it wasn't commented at all in the documentation didn't
> > help.
> >
> > The question now is anybody thinks this shouldn't appear in the
> > handbook? If nobody has a problem I'll prepare a patch.
> >
> > PS: howarang thanks for the point I found it really odd this was
> > missing.
> >
> >
> 
> FYI: there are a truckload of options that are available in portage
> but are not documented in the handbook. I'm not really sure
> replicating the portage manpages in the handbook is necessarily a good
> way to move forward. Ideally we would direct users to just read the
> manpages.

Or go with a saner defaults...

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 316 bytes --]

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-11 19:36     ` Alec Warner
  2011-10-11 19:56       ` Michał Górny
@ 2011-10-11 20:07       ` Francisco Blas Izquierdo Riera (klondike)
  1 sibling, 0 replies; 30+ messages in thread
From: Francisco Blas Izquierdo Riera (klondike) @ 2011-10-11 20:07 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 2628 bytes --]

El 11/10/11 21:36, Alec Warner escribió:
> On Tue, Oct 11, 2011 at 12:23 PM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
>> El 11/10/11 20:55, Markos Chandras escribió:
>>> On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote:
>>>> Hi,
>>>> Today I have found that build dependencies are left in the system
>>>> but won't be upgraded when running emerge -vauD1 world. This can be
>>>> inconvenient since security issues fixed in those left over
>>>> packages won't be applied properly. So, is there any reason for
>>>> this behaviour? Shouldn't build dependencies either be cleaned with
>>>> --depclean after building or be upgraded to avoid possible issues?
>>>> Sorry if this gets in here twice, I used an incorrect account.
>>>
>>> Maybe you want the --with-bdeps parameter along with the -D one?. man
>>> emerge -> section Options -> parameter -D
>> That makes sense but then the problem is on the poor documentation we
>> have in the Internet.
>> http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=1
>> Here no mention to that option is made
>> Nor is in:
>> http://www.gentoo.org/doc/en/gentoo-upgrading.xml
>>
>> And in fact no mention to the option is made in the doc space at all. I
>> may also be wrong here but I don't recall finding it when I started with
>> portage and no notice was issued since then so either I misunderstood
>> it, kinda likely by then, or it was added later. And the fact it wasn't
>> commented at all in the documentation didn't help.
>>
>> The question now is anybody thinks this shouldn't appear in the
>> handbook? If nobody has a problem I'll prepare a patch.
>>
>> PS: howarang thanks for the point I found it really odd this was missing.
>>
>>
> FYI: there are a truckload of options that are available in portage
> but are not documented in the handbook. I'm not really sure
> replicating the portage manpages in the handbook is necessarily a good
> way to move forward. Ideally we would direct users to just read the
> manpages.
Antarus, an user who has read the whole installation handbook and is new
to the distro should by then have a lot of new ideas in mind to direct
them to man pages written in a more technical way creating even more
confusion. Add to to that any search on how to update / upgrade Gentoo
and you will find the same set of commands almost always:
$ emerge -u world
$ emerge -uD world
With no references to other parameters at all. Which can make users
assume that it is a safe default. If you look in the docs I provided
you'll see it is the case.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-11 18:50 [gentoo-dev] Build dependencies and upgrades Francisco Blas Izquierdo Riera (klondike)
  2011-10-11 18:55 ` Markos Chandras
@ 2011-10-11 21:04 ` Mike Gilbert
  2011-10-11 23:27   ` [gentoo-dev] " Duncan
  2011-10-12  4:48   ` [gentoo-dev] " Zac Medico
  2011-10-12  3:13 ` Zac Medico
  2011-10-13  4:39 ` Mike Frysinger
  3 siblings, 2 replies; 30+ messages in thread
From: Mike Gilbert @ 2011-10-11 21:04 UTC (permalink / raw
  To: gentoo-dev

On Tue, Oct 11, 2011 at 2:50 PM, Francisco Blas Izquierdo Riera
(klondike) <klondike@gentoo.org> wrote:
> So, is there any reason for this behaviour? Shouldn't build dependencies
> either be cleaned with --depclean after building or be upgraded to avoid
> possible issues?
>

I agree: with-bdeps should either default to y or n across the board.

I understand the idea behind turning it on for depclean to reduce the
amount uninstalls/re-installs, but I think that really just introduces
more confusion than the time savings is worth.



^ permalink raw reply	[flat|nested] 30+ messages in thread

* [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-11 21:04 ` Mike Gilbert
@ 2011-10-11 23:27   ` Duncan
  2011-10-12 14:10     ` Rich Freeman
  2011-10-12  4:48   ` [gentoo-dev] " Zac Medico
  1 sibling, 1 reply; 30+ messages in thread
From: Duncan @ 2011-10-11 23:27 UTC (permalink / raw
  To: gentoo-dev

Mike Gilbert posted on Tue, 11 Oct 2011 17:04:02 -0400 as excerpted:

> On Tue, Oct 11, 2011 at 2:50 PM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
>> So, is there any reason for this behaviour? Shouldn't build
>> dependencies either be cleaned with --depclean after building or be
>> upgraded to avoid possible issues?
>>
>>
> I agree: with-bdeps should either default to y or n across the board.
> 
> I understand the idea behind turning it on for depclean to reduce the
> amount uninstalls/re-installs, but I think that really just introduces
> more confusion than the time savings is worth.

FWIW, --with-bdeps is a relatively new portage option.  AFAIK it was 
added during the period when the docs team was pretty much just a single 
person, who was getting further and further behind and was understandably 
burnt out, but being the only person available, he remained at his post 
tho I'm sure he would have MUCH rather done something else.

That's probably why there's no mention in the docs other than the portage 
manpage.  Now that we have swift back, he's applying some much needed 
attention to the docs tree and its coming back into shape. =:^)

So yes, I'd suggest a handbook update is in order.  Well, either that, or 
arguably, a tweak of the portage defaults.  But of course Zac's the guy 
who knows most about that, and why the defaults are what they are, so 
he's the one that needs to answer on that angle.

Meanwhile, thanks for bringing it up, klondike. =:^)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman




^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-11 18:50 [gentoo-dev] Build dependencies and upgrades Francisco Blas Izquierdo Riera (klondike)
  2011-10-11 18:55 ` Markos Chandras
  2011-10-11 21:04 ` Mike Gilbert
@ 2011-10-12  3:13 ` Zac Medico
  2011-10-13  4:39 ` Mike Frysinger
  3 siblings, 0 replies; 30+ messages in thread
From: Zac Medico @ 2011-10-12  3:13 UTC (permalink / raw
  To: gentoo-dev

On 10/11/2011 11:50 AM, Francisco Blas Izquierdo Riera (klondike) wrote:
> Hi,
> 
> Today I have found that build dependencies are left in the system but
> won't be upgraded when running emerge -vauD1 world.
> This can be inconvenient since security issues fixed in those left over
> packages won't be applied properly.
> So, is there any reason for this behaviour?

1) It's a waste of time to build/update packages that won't be used for
anything. That's what --with-bdeps=y. If you plan to use these packages
for something, then you should add them to world or add --with-bdeps=y
to EMERGE_DEFAULT_OPTS so that they'll update automatically.

2) Aside from being a waste of resources, if we enabled --with-bdeps=y
by default for update actions then to would cause unwanted results for
people who use binary packages and don't expect the build-time deps to
get pulled in.

> Shouldn't build dependencies
> either be cleaned with --depclean after building

This is another waste of resources, since you'll have to install them
again the next time that you need them. However, you are free to use
--with-bdeps=n with --depclean if it suits you. One size does not fit
all, so that's why we have options.

> or be upgraded to avoid
> possible issues?

Again, if you plan to use these packages for something, then you should
add them to world or add --with-bdeps=y to EMERGE_DEFAULT_OPTS so that
they'll update automatically. Again, you've got choices and what suits
you doesn't necessarily suit everyone else.

Personally, I like to set EMERGE_DEFAULT_OPTS="--with-bdeps=y" because
like to know that all the build deps are at their latest versions in
case I decide to rebuild some random package.
-- 
Thanks,
Zac



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-11 21:04 ` Mike Gilbert
  2011-10-11 23:27   ` [gentoo-dev] " Duncan
@ 2011-10-12  4:48   ` Zac Medico
  1 sibling, 0 replies; 30+ messages in thread
From: Zac Medico @ 2011-10-12  4:48 UTC (permalink / raw
  To: gentoo-dev

On 10/11/2011 02:04 PM, Mike Gilbert wrote:
> On Tue, Oct 11, 2011 at 2:50 PM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
>> So, is there any reason for this behaviour? Shouldn't build dependencies
>> either be cleaned with --depclean after building or be upgraded to avoid
>> possible issues?
>>
> 
> I agree: with-bdeps should either default to y or n across the board.
> 
> I understand the idea behind turning it on for depclean to reduce the
> amount uninstalls/re-installs, but I think that really just introduces
> more confusion than the time savings is worth.

Changing defaults is also confusing. Changing defaults to values that
are the opposite of what most people want is even more confusing.

I think the existing defaults are fine. If people are confused by them,
then I think they just need some documentation to clarify the reasons
for the existing defaults.
-- 
Thanks,
Zac



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-11 19:56       ` Michał Górny
@ 2011-10-12  4:54         ` Zac Medico
  2011-10-12  5:28           ` Mike Gilbert
  0 siblings, 1 reply; 30+ messages in thread
From: Zac Medico @ 2011-10-12  4:54 UTC (permalink / raw
  To: gentoo-dev

On 10/11/2011 12:56 PM, Michał Górny wrote:
> Or go with a saner defaults...

So, are any of the following sane?

1) Pull in updates for packages even though those packages won't be used
for anything.

2) Pull in build-time dependencies for packages that are already built,
even though no portage version has ever done this before by default.

3) Make depclean remove build-time dependencies by default, only to have
the rebuilt/installed the next time that the system is updated.

-- 
Thanks,
Zac



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-12  4:54         ` Zac Medico
@ 2011-10-12  5:28           ` Mike Gilbert
  2011-10-12  5:47             ` Zac Medico
  0 siblings, 1 reply; 30+ messages in thread
From: Mike Gilbert @ 2011-10-12  5:28 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 570 bytes --]

On 10/12/2011 12:54 AM, Zac Medico wrote:
> On 10/11/2011 12:56 PM, Michał Górny wrote:
>> Or go with a saner defaults...
> 
> So, are any of the following sane?
> 
> 1) Pull in updates for packages even though those packages won't be used
> for anything.
> 

Francisco raised a possibly valid point in his original message: though
packages may not be currently used for anything, but they could contain
un-patched security flaws.

This seems pretty unlikely to me given the sorts of packages that are
build-time-only deps, but it could be possible.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 230 bytes --]

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-12  5:28           ` Mike Gilbert
@ 2011-10-12  5:47             ` Zac Medico
  2011-10-12  5:59               ` Graham Murray
  0 siblings, 1 reply; 30+ messages in thread
From: Zac Medico @ 2011-10-12  5:47 UTC (permalink / raw
  To: gentoo-dev


On 10/11/2011 10:28 PM, Mike Gilbert wrote:
> On 10/12/2011 12:54 AM, Zac Medico wrote:
>> On 10/11/2011 12:56 PM, Michał Górny wrote:
>>> Or go with a saner defaults...
>>
>> So, are any of the following sane?
>>
>> 1) Pull in updates for packages even though those packages won't be used
>> for anything.
>>
> 
> Francisco raised a possibly valid point in his original message: though
> packages may not be currently used for anything, but they could contain
> un-patched security flaws.

If they contain something that's accessed at runtime, then they should
be in RDEPEND or PDEPEND, no exceptions.

> This seems pretty unlikely to me given the sorts of packages that are
> build-time-only deps, but it could be possible.

We can try to split up people who care about this into categories:

1) People who are "security conscious" or just plain paranoid can set
EMERGE_DEFAULT_OPTS="--with-bdeps=y" to ease their minds.

2) People who want all build-time deps up to date at all times, in case
they decide to rebuild something on a whim, can set
EMERGE_DEFAULT_OPTS="--with-bdeps=y" to keep everything up to date. This
is what I do.

3) People who think they might use a particular package and want to
ensure that it's the latest version can add that package to the world
file. They can look for possible candidates in the output of `emerge
--pretend --depclean --with-bdeps=n`.
-- 
Thanks,
Zac



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-12  5:47             ` Zac Medico
@ 2011-10-12  5:59               ` Graham Murray
  2011-10-12  6:10                 ` Zac Medico
  0 siblings, 1 reply; 30+ messages in thread
From: Graham Murray @ 2011-10-12  5:59 UTC (permalink / raw
  To: gentoo-dev

Zac Medico <zmedico@gentoo.org> writes:

> On 10/11/2011 10:28 PM, Mike Gilbert wrote:
>> Francisco raised a possibly valid point in his original message: though
>> packages may not be currently used for anything, but they could contain
>> un-patched security flaws.
>
> If they contain something that's accessed at runtime, then they should
> be in RDEPEND or PDEPEND, no exceptions.

But is it not possible that the flaw in the build-time dependency causes
an insecurity to be built into the dependent package and that both have
to be rebuilt as part of the security fix?



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-12  5:59               ` Graham Murray
@ 2011-10-12  6:10                 ` Zac Medico
  2011-10-12 13:49                   ` Stelian Ionescu
  0 siblings, 1 reply; 30+ messages in thread
From: Zac Medico @ 2011-10-12  6:10 UTC (permalink / raw
  To: gentoo-dev

On 10/11/2011 10:59 PM, Graham Murray wrote:
> Zac Medico <zmedico@gentoo.org> writes:
> 
>> On 10/11/2011 10:28 PM, Mike Gilbert wrote:
>>> Francisco raised a possibly valid point in his original message: though
>>> packages may not be currently used for anything, but they could contain
>>> un-patched security flaws.
>>
>> If they contain something that's accessed at runtime, then they should
>> be in RDEPEND or PDEPEND, no exceptions.
> 
> But is it not possible that the flaw in the build-time dependency causes
> an insecurity to be built into the dependent package and that both have
> to be rebuilt as part of the security fix?

For statically linked libraries, yes. However, --with-bdeps=y alone
won't help you with that. You'll also have to enable
--rebuild-if-new-rev=y in order to automatically rebuild the reverse
dependencies of the statically-linked library.
-- 
Thanks,
Zac



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-12  6:10                 ` Zac Medico
@ 2011-10-12 13:49                   ` Stelian Ionescu
  0 siblings, 0 replies; 30+ messages in thread
From: Stelian Ionescu @ 2011-10-12 13:49 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 1198 bytes --]

On Tue, 2011-10-11 at 23:10 -0700, Zac Medico wrote:
> On 10/11/2011 10:59 PM, Graham Murray wrote:
> > Zac Medico <zmedico@gentoo.org> writes:
> > 
> >> On 10/11/2011 10:28 PM, Mike Gilbert wrote:
> >>> Francisco raised a possibly valid point in his original message: though
> >>> packages may not be currently used for anything, but they could contain
> >>> un-patched security flaws.
> >>
> >> If they contain something that's accessed at runtime, then they should
> >> be in RDEPEND or PDEPEND, no exceptions.
> > 
> > But is it not possible that the flaw in the build-time dependency causes
> > an insecurity to be built into the dependent package and that both have
> > to be rebuilt as part of the security fix?
> 
> For statically linked libraries, yes. However, --with-bdeps=y alone
> won't help you with that. You'll also have to enable
> --rebuild-if-new-rev=y in order to automatically rebuild the reverse
> dependencies of the statically-linked library.

And also for source code generators such as flex, bison, autoconf,
cmake, et cætera

-- 
Stelian Ionescu a.k.a. fe[nl]ix
Quidquid latine dictum sit, altum videtur
http://common-lisp.net/project/iolib/

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-11 23:27   ` [gentoo-dev] " Duncan
@ 2011-10-12 14:10     ` Rich Freeman
  2011-10-12 15:09       ` Zac Medico
  0 siblings, 1 reply; 30+ messages in thread
From: Rich Freeman @ 2011-10-12 14:10 UTC (permalink / raw
  To: gentoo-dev

On Tue, Oct 11, 2011 at 7:27 PM, Duncan <1i5t5.duncan@cox.net> wrote:
> That's probably why there's no mention in the docs other than the portage
> manpage.  Now that we have swift back, he's applying some much needed
> attention to the docs tree and its coming back into shape. =:^)

I definitely agree that the docs probably need a little improvement.

Our docs should suggest to users the safest behavior for somebody who
doesn't know what they're doing.  That is, the behavior that leads to
the fewest bug reports or list posts or general complaints.  By all
means give them less safe alternatives with some educational material
(we empower our users).  However, the first thing presented should be
the safest default behavior.

That leads me to another concern.  The defaults should be the safe
options, and the options should be to make the actions less safe.

In my thinking the most conservative options right now are either
emerge -uDN world or emerge -uDN --with-bdeps=y world.

I'd almost prefer to see that -D, -N, and --with-bdeps go away, and
that instead we add options like --shallow, --ignoreusechanges, and
--without-bdeps be added (ok, those are lousy names but you get the
picture).  The default without any option should be to do the "right"
thing for most people, and specifying an option should be to make the
system do something less conservative.

I just think about Debian where you tell people run "apt-get update"
and then "apt-get upgrade" and that is it.  Their typical behavior is
not specifying anything and you get everything updated.  With Gentoo
the equivalent is "emerge world" but when you do that you potentially
miss a lot of stuff.

(And I realize the --with-bdeps part of this is debatable.)

Rich



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-12 14:10     ` Rich Freeman
@ 2011-10-12 15:09       ` Zac Medico
  2011-10-13  2:39         ` Rich Freeman
                           ` (2 more replies)
  0 siblings, 3 replies; 30+ messages in thread
From: Zac Medico @ 2011-10-12 15:09 UTC (permalink / raw
  To: gentoo-dev

On 10/12/2011 07:10 AM, Rich Freeman wrote:
> That leads me to another concern.  The defaults should be the safe
> options, and the options should be to make the actions less safe.
> 
> In my thinking the most conservative options right now are either
> emerge -uDN world or emerge -uDN --with-bdeps=y world.
> 
> I'd almost prefer to see that -D, -N, and --with-bdeps go away, and
> that instead we add options like --shallow, --ignoreusechanges, and
> --without-bdeps be added (ok, those are lousy names but you get the
> picture).  The default without any option should be to do the "right"
> thing for most people, and specifying an option should be to make the
> system do something less conservative.
> 
> I just think about Debian where you tell people run "apt-get update"
> and then "apt-get upgrade" and that is it.  Their typical behavior is
> not specifying anything and you get everything updated.  With Gentoo
> the equivalent is "emerge world" but when you do that you potentially
> miss a lot of stuff.
> 
> (And I realize the --with-bdeps part of this is debatable.)


How about if we add a `emerge --upgrade` target that is analogous to
`apt-get upgrade`? If we hide the new defaults behind a target like
--upgrade, rather than change the defaults globally, then it allows
people's existing scripted and habitual emerge commands to continue to
work in a backward compatible manner.
-- 
Thanks,
Zac



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-12 15:09       ` Zac Medico
@ 2011-10-13  2:39         ` Rich Freeman
  2011-10-13  2:55         ` Duncan
  2011-10-13  3:20         ` Mike Frysinger
  2 siblings, 0 replies; 30+ messages in thread
From: Rich Freeman @ 2011-10-13  2:39 UTC (permalink / raw
  To: gentoo-dev

On Wed, Oct 12, 2011 at 11:09 AM, Zac Medico <zmedico@gentoo.org> wrote:
> How about if we add a `emerge --upgrade` target that is analogous to
> `apt-get upgrade`? If we hide the new defaults behind a target like
> --upgrade, rather than change the defaults globally, then it allows
> people's existing scripted and habitual emerge commands to continue to
> work in a backward compatible manner.

I think this is a good idea - and I wasn't seriously proposing that we
just change those flags (if we were to do it we'd have to deprecate
them slowly/etc).

Perhaps define that --upgrade means "do the right thing (TM)" and that
it shouldn't be used in scripts unless those using the script are
willing to tolerate that this behavior could change over time.

Rich



^ permalink raw reply	[flat|nested] 30+ messages in thread

* [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-12 15:09       ` Zac Medico
  2011-10-13  2:39         ` Rich Freeman
@ 2011-10-13  2:55         ` Duncan
  2011-10-13  3:20         ` Mike Frysinger
  2 siblings, 0 replies; 30+ messages in thread
From: Duncan @ 2011-10-13  2:55 UTC (permalink / raw
  To: gentoo-dev

Zac Medico posted on Wed, 12 Oct 2011 08:09:56 -0700 as excerpted:

> On 10/12/2011 07:10 AM, Rich Freeman wrote:
>> The defaults should be [safe] and the options should [flexibly
>> allow less safety where judged necessary].
>> 
>> In my thinking the most conservative options right now are either
>> emerge -uDN world or emerge -uDN --with-bdeps=y world.
>> 
>> I'd almost prefer to see that -D, -N, and --with-bdeps go away, and
>> that instead we add options like --shallow, --ignoreusechanges [...]

>> I just think about Debian where you tell people run "apt-get update"
>> and then "apt-get upgrade" and that is it.  Their typical behavior is
>> not specifying anything and you get everything updated.  With Gentoo
>> the equivalent is "emerge world" but when you do that you potentially
>> miss a lot of stuff.
>> 
>> (And I realize the --with-bdeps part of this is debatable.)

I've privately thought similarly for quite some time, but rationalized 
it, as I expect many have, with the "gentoo isn't and never has been 
about babysitting" thing.  We expect, even essentially demand, that our 
users actively assertively their own choices in such matters by choosing 
the options that make sense for them, because otherwise, there's 
basically no point to running the distro.

But that doesn't mean we can't create a simple default that "just works" 
and is secure without all the arcane options.

> How about if we add a `emerge --upgrade` target that is analogous to
> `apt-get upgrade`? If we hide the new defaults behind a target like
> --upgrade, rather than change the defaults globally, then it allows
> people's existing scripted and habitual emerge commands to continue to
> work in a backward compatible manner.

This was exactly the point and suggestion that I expected Zac to make, 
and that I agree with just as strongly.  Don't break existing working 
assumptions and scripts with new defaults, but do take advantage of the 
opportunity presented by this discussion to create a single sensible 
option that "just works" and does so safely. =:^)

Meanwhile, Zac, if I may, another suggestion.  In the manpage and other 
documentation of this option, specifically note that the intended purpose 
is a single option that "just works", and that as such, specific behavior 
of the option may change as portage itself changes.  Thus, for scripts, 
etc, where unchanging specific behavior is intended, the individual 
specific options are recommended, instead.

That way, a half decade or whatever down the line, when portage's best 
defaults have again changed, we won't be faced with the problem of 
creating a new "best single default option" to avoid breaking existing 
assumptions, because the explicit assumption about this option is that it 
will always do what's considered best, even if that changes its behavior 
over time, and people have the option of picking either unchanging 
behavior with individual options, if that's desired, or a single option 
that's always intended to give the best behavior, even if that changes 
over time.

In that regard, perhaps call the option --best, or some such, so it can 
be used for upgrades, fetches, or whatever, and can be suggested for 
EMERGE_DEFAULT_OPTS, where --upgrade might not always be appropriate.

Also, make it possible to override what --best might otherwise do with 
later options.  So a command including --best --with-bdeps=n in that 
order would do what --best would do, except --with-bdeps=n would override 
it for that specific option.  (Conversely, --with-bdeps=n --best would 
ignore the bdeps option since best overrode it.)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman




^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-12 15:09       ` Zac Medico
  2011-10-13  2:39         ` Rich Freeman
  2011-10-13  2:55         ` Duncan
@ 2011-10-13  3:20         ` Mike Frysinger
  2011-10-13  3:26           ` Rich Freeman
                             ` (2 more replies)
  2 siblings, 3 replies; 30+ messages in thread
From: Mike Frysinger @ 2011-10-13  3:20 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: Text/Plain, Size: 228 bytes --]

On Wednesday 12 October 2011 11:09:56 Zac Medico wrote:
> How about if we add a `emerge --upgrade` target that is analogous to
> `apt-get upgrade`?

isn't that already done with @installed ?  `emerge --upgrade @installed`
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-13  3:20         ` Mike Frysinger
@ 2011-10-13  3:26           ` Rich Freeman
  2011-10-13  4:36             ` Mike Frysinger
  2011-10-13  4:53             ` Duncan
  2011-10-13  5:33           ` Michał Górny
  2011-10-13 19:12           ` Zac Medico
  2 siblings, 2 replies; 30+ messages in thread
From: Rich Freeman @ 2011-10-13  3:26 UTC (permalink / raw
  To: gentoo-dev

On Wed, Oct 12, 2011 at 11:20 PM, Mike Frysinger <vapier@gentoo.org> wrote:
> On Wednesday 12 October 2011 11:09:56 Zac Medico wrote:
>> How about if we add a `emerge --upgrade` target that is analogous to
>> `apt-get upgrade`?
>
> isn't that already done with @installed ?  `emerge --upgrade @installed`

Well, you'd arguably at least need a -N in there.

Also, this doesn't work in stable portage - I assume this is something
available in the newer branch.  In any case, if that is the "right
thing" then we should update our docs accordingly.

Also - will doing an emerge -u @installed add those packages to @world
- ie do we need to throw a -1 in there, or is this behavior coded in
as an exception?

Rich



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-13  3:26           ` Rich Freeman
@ 2011-10-13  4:36             ` Mike Frysinger
  2011-10-13  4:53             ` Duncan
  1 sibling, 0 replies; 30+ messages in thread
From: Mike Frysinger @ 2011-10-13  4:36 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: Text/Plain, Size: 1349 bytes --]

On Wednesday 12 October 2011 23:26:28 Rich Freeman wrote:
> On Wed, Oct 12, 2011 at 11:20 PM, Mike Frysinger <vapier@gentoo.org> wrote:
> > On Wednesday 12 October 2011 11:09:56 Zac Medico wrote:
> >> How about if we add a `emerge --upgrade` target that is analogous to
> >> `apt-get upgrade`?
> > 
> > isn't that already done with @installed ?  `emerge --upgrade @installed`
> 
> Well, you'd arguably at least need a -N in there.

that's orthogonal to the issue and the target.  the OP wanted to upgrade "all 
packages" which is @installed.  if you want to rebuild when USE flags change, 
then use --newuse.  no target should imply different option behavior.

> Also, this doesn't work in stable portage - I assume this is something
> available in the newer branch.

it works for me, but i'm using latest portage (the _alpha## stuff).  any 
proposed change would require an update anyways ...

> Also - will doing an emerge -u @installed add those packages to @world
> - ie do we need to throw a -1 in there, or is this behavior coded in
> as an exception?

i don't know about set behavior and the world file.  it would make sense to me 
that "world" would special case @system and @installed and not add it to 
@world unlike other sets (i know that other sets do get added to world).  Zac 
would know of course.
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Build dependencies and upgrades.
  2011-10-11 18:50 [gentoo-dev] Build dependencies and upgrades Francisco Blas Izquierdo Riera (klondike)
                   ` (2 preceding siblings ...)
  2011-10-12  3:13 ` Zac Medico
@ 2011-10-13  4:39 ` Mike Frysinger
  2011-10-13  7:12   ` [gentoo-dev] " Duncan
  3 siblings, 1 reply; 30+ messages in thread
From: Mike Frysinger @ 2011-10-13  4:39 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: Text/Plain, Size: 338 bytes --]

On Tuesday 11 October 2011 14:50:27 Francisco Blas Izquierdo Riera (klondike) 
> This can be inconvenient since security issues fixed in those left over
> packages won't be applied properly.

`glsa-check -f affected`.  i thought there was talk of an automatic @security 
set at some point, but not sure if that got anywhere.
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-13  3:26           ` Rich Freeman
  2011-10-13  4:36             ` Mike Frysinger
@ 2011-10-13  4:53             ` Duncan
  1 sibling, 0 replies; 30+ messages in thread
From: Duncan @ 2011-10-13  4:53 UTC (permalink / raw
  To: gentoo-dev

Rich Freeman posted on Wed, 12 Oct 2011 23:26:28 -0400 as excerpted:

> On Wed, Oct 12, 2011 at 11:20 PM, Mike Frysinger <vapier@gentoo.org>
> wrote:
>> isn't that already done with @installed ?  `emerge --upgrade
>> @installed`
> 
> Well, you'd arguably at least need a -N in there.

Indeed.

> Also, this doesn't work in stable portage - I assume this is something
> available in the newer branch.

Yes.  @ denotes a set.  Stable portage doesn't have sets in general yet, 
altho it is setup to recognize the two special sets, @system and @world 
(which for those sets only, for backward compatibility, may appear with 
or without the @).

> In any case, if that is the "right thing" then we should update
> our docs accordingly.

Of course, that would need to wait for sets to stabilize.  When that 
might be I haven't the foggiest, but it'd be nice to not have to be 
running hard-masked portage, again.  (FWIW, my world file is entirely 
empty as all the packages formerly contained therein are now in custom 
sets, @local.admin, @local.fonts, @local.kde.base.kdebase.workspace, 
@local.xorg, etc, and those are in turn listed in the world-sets file, 
not world, which is for packages, not sets.)

> Also - will doing an emerge -u @installed add those packages to @world -
> ie do we need to throw a -1 in there, or is this behavior coded in as an
> exception?

Sets are recognized by the @ in front of them, and would normally be 
added to world-sets instead of world, but there's a number of special 
sets like @selected (@world minus packages only pulled in by @system) 
@system, @world, @installed, @live-rebuild (basically -9999 versions), 
@preserved-rebuild, @security, @unavailable-binaries (AFAIK, @installed 
minus binpkg-available), @module-rebuild (external kernel modules), @x11-
module-rebuild, etc.

So yes, @installed is one of the special sets and therefore an exception.


But... talking about -1 in context of --best (or whatever), I've always 
wondered why that wasn't the default, as well.  Only add the package to 
@world if the user specifies to do so.  That way a user can remerge an 
individual package (or set), without having to worry about whether it's 
going to be added to the world (world-sets) file, as it's only added when 
the option is specifically listed.

But for that to work with --best, --best would have to be in 
EMERGE_DEFAULT_OPTIONS (with --best cancellable by later options if 
necessary), or people would be even MORE likely to forget to add the -1 
for one-off emerges.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman




^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-13  5:33           ` Michał Górny
@ 2011-10-13  5:33             ` Mike Frysinger
  0 siblings, 0 replies; 30+ messages in thread
From: Mike Frysinger @ 2011-10-13  5:33 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: Text/Plain, Size: 554 bytes --]

On Thursday 13 October 2011 01:33:07 Michał Górny wrote:
> On Wed, 12 Oct 2011 23:20:23 -0400 Mike Frysinger wrote:
> > On Wednesday 12 October 2011 11:09:56 Zac Medico wrote:
> > > How about if we add a `emerge --upgrade` target that is analogous to
> > > `apt-get upgrade`?
> > 
> > isn't that already done with @installed ?  `emerge --upgrade
> > @installed`
> 
> Wouldn't that upgrade packages which are not needed by anything as
> well? I.e. those which will be removed on next depclean.

pretty sure that's what the OP wanted
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-13  3:20         ` Mike Frysinger
  2011-10-13  3:26           ` Rich Freeman
@ 2011-10-13  5:33           ` Michał Górny
  2011-10-13  5:33             ` Mike Frysinger
  2011-10-13 19:12           ` Zac Medico
  2 siblings, 1 reply; 30+ messages in thread
From: Michał Górny @ 2011-10-13  5:33 UTC (permalink / raw
  To: gentoo-dev; +Cc: vapier

[-- Attachment #1: Type: text/plain, Size: 493 bytes --]

On Wed, 12 Oct 2011 23:20:23 -0400
Mike Frysinger <vapier@gentoo.org> wrote:

> On Wednesday 12 October 2011 11:09:56 Zac Medico wrote:
> > How about if we add a `emerge --upgrade` target that is analogous to
> > `apt-get upgrade`?
> 
> isn't that already done with @installed ?  `emerge --upgrade
> @installed` -mike

Wouldn't that upgrade packages which are not needed by anything as
well? I.e. those which will be removed on next depclean.

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 316 bytes --]

^ permalink raw reply	[flat|nested] 30+ messages in thread

* [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-13  4:39 ` Mike Frysinger
@ 2011-10-13  7:12   ` Duncan
  2011-10-13 21:11     ` Zac Medico
  0 siblings, 1 reply; 30+ messages in thread
From: Duncan @ 2011-10-13  7:12 UTC (permalink / raw
  To: gentoo-dev

Mike Frysinger posted on Thu, 13 Oct 2011 00:39:52 -0400 as excerpted:

> i thought there was talk of an automatic @security set at some point,
> but not sure if that got anywhere.

Sets (other than @system and @world) aren't available in stable portage 
yet.  Are they even in ~arch?  I've been running the masked 2.2 in 
ordered to have sets for so long it's beginning to feel like openrc all 
over again, except now it's not even in ~arch, AFAIK. <sigh>

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman




^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-13  3:20         ` Mike Frysinger
  2011-10-13  3:26           ` Rich Freeman
  2011-10-13  5:33           ` Michał Górny
@ 2011-10-13 19:12           ` Zac Medico
  2 siblings, 0 replies; 30+ messages in thread
From: Zac Medico @ 2011-10-13 19:12 UTC (permalink / raw
  To: gentoo-dev

On 10/12/2011 08:20 PM, Mike Frysinger wrote:
> On Wednesday 12 October 2011 11:09:56 Zac Medico wrote:
>> How about if we add a `emerge --upgrade` target that is analogous to
>> `apt-get upgrade`?
> 
> isn't that already done with @installed ?  `emerge --upgrade @installed`

At this time, @installed tends to trigger unsolvable blockers during
updates [1], so it's not really usable for general purpose updates
unless you want users to go back to the days of solving blocker by
themselves even though the package manager is capable of doing it
automatically.

Also, @installed pulls in slot atoms just for the installed slots, so it
won't pull in new slots like un-slotted atoms would.

[1] https://bugs.gentoo.org/show_bug.cgi?id=387059
-- 
Thanks,
Zac



^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: [gentoo-dev] Re: Build dependencies and upgrades.
  2011-10-13  7:12   ` [gentoo-dev] " Duncan
@ 2011-10-13 21:11     ` Zac Medico
  0 siblings, 0 replies; 30+ messages in thread
From: Zac Medico @ 2011-10-13 21:11 UTC (permalink / raw
  To: gentoo-dev



On Thu, Oct 13, 2011 at 12:12 AM, Duncan <1i5t5.duncan@cox.net> wrote:
> Mike Frysinger posted on Thu, 13 Oct 2011 00:39:52 -0400 as excerpted:
>
>> i thought there was talk of an automatic @security set at some point,
>> but not sure if that got anywhere.

Marius (genone) added @security support along with the other sets in
portage-2.2, and it's still supported.

> Sets (other than @system and @world) aren't available in stable portage
> yet.  Are they even in ~arch? 

We migrate features to ~arch (which becomes stable) as soon as they're
in a state that we're happy enough to support long-term. Bug 144480 [1]
tracks issues related to sets.

> I've been running the masked 2.2 in
> ordered to have sets for so long it's beginning to feel like openrc all
> over again, except now it's not even in ~arch, AFAIK. <sigh>

FWIW, we've already got plans to bring support for /etc/portage/sets to
~arch [2].

[1] https://bugs.gentoo.org/show_bug.cgi?id=144480
[2] https://bugs.gentoo.org/show_bug.cgi?id=384061
-- 
Thanks,
Zac



^ permalink raw reply	[flat|nested] 30+ messages in thread

end of thread, other threads:[~2011-10-13 21:12 UTC | newest]

Thread overview: 30+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-11 18:50 [gentoo-dev] Build dependencies and upgrades Francisco Blas Izquierdo Riera (klondike)
2011-10-11 18:55 ` Markos Chandras
2011-10-11 19:23   ` Francisco Blas Izquierdo Riera (klondike)
2011-10-11 19:36     ` Alec Warner
2011-10-11 19:56       ` Michał Górny
2011-10-12  4:54         ` Zac Medico
2011-10-12  5:28           ` Mike Gilbert
2011-10-12  5:47             ` Zac Medico
2011-10-12  5:59               ` Graham Murray
2011-10-12  6:10                 ` Zac Medico
2011-10-12 13:49                   ` Stelian Ionescu
2011-10-11 20:07       ` Francisco Blas Izquierdo Riera (klondike)
2011-10-11 21:04 ` Mike Gilbert
2011-10-11 23:27   ` [gentoo-dev] " Duncan
2011-10-12 14:10     ` Rich Freeman
2011-10-12 15:09       ` Zac Medico
2011-10-13  2:39         ` Rich Freeman
2011-10-13  2:55         ` Duncan
2011-10-13  3:20         ` Mike Frysinger
2011-10-13  3:26           ` Rich Freeman
2011-10-13  4:36             ` Mike Frysinger
2011-10-13  4:53             ` Duncan
2011-10-13  5:33           ` Michał Górny
2011-10-13  5:33             ` Mike Frysinger
2011-10-13 19:12           ` Zac Medico
2011-10-12  4:48   ` [gentoo-dev] " Zac Medico
2011-10-12  3:13 ` Zac Medico
2011-10-13  4:39 ` Mike Frysinger
2011-10-13  7:12   ` [gentoo-dev] " Duncan
2011-10-13 21:11     ` Zac Medico

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox