From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-88510-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id D1593138334
	for <garchives@archives.gentoo.org>; Thu, 12 Sep 2019 21:11:41 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 72161E0CCC;
	Thu, 12 Sep 2019 21:11:37 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 1643AE0C7C
	for <gentoo-dev@lists.gentoo.org>; Thu, 12 Sep 2019 21:11:37 +0000 (UTC)
Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: mjo)
	by smtp.gentoo.org (Postfix) with ESMTPSA id CE69F34B0CD
	for <gentoo-dev@lists.gentoo.org>; Thu, 12 Sep 2019 21:11:35 +0000 (UTC)
Subject: Re: [gentoo-dev] [PATCH 3/3] dev-vcs/hub: migrate to go-module.eclass
To: gentoo-dev@lists.gentoo.org
References: <20190911172128.18885-1-williamh@gentoo.org>
 <20190911172128.18885-4-williamh@gentoo.org>
 <f7b0d6ce-4bad-0daf-4e62-ac941f573bf4@gentoo.org>
 <CAAr7Pr8_VhHsPvNvwUMVh-jX7z+7uOQBPNjx_FbBocRzh9brcQ@mail.gmail.com>
 <20190911234815.GA21591@whubbs1.dev.av1.gaikai.org>
 <CAAr7Pr-WK2VcB+CJAY8HXTK7kyXqf4KnCb+DSe+CwsmoEAbFjQ@mail.gmail.com>
 <20190912154634.GB23846@whubbs1.dev.av1.gaikai.org>
 <88094567-323c-6f6a-a1d9-0c1b77ef53e3@gentoo.org>
 <CAAr7Pr8v_fr_yS9y6Y19X5FJqqDT0mc09jAJ8szx0WNXOiC-KQ@mail.gmail.com>
 <6acd490e-6393-62e4-5d07-71c2a3624417@gentoo.org>
 <CAJ0EP42n7mM4YZ_y5AJ4esZrPpqE_CrFCzHbaB3LXo+JVVSETg@mail.gmail.com>
 <2db31450-63e5-2ecc-ff3b-1858c760b287@gentoo.org>
 <CAJ0EP42FboO+JNgcfPptBiZQMTbZBE3=VXK_aA=iDcDJsbWvYg@mail.gmail.com>
From: Michael Orlitzky <mjo@gentoo.org>
Message-ID: <4ccab80c-fc9e-c843-8a1b-50a329abf6c1@gentoo.org>
Date: Thu, 12 Sep 2019 17:11:30 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
In-Reply-To: <CAJ0EP42FboO+JNgcfPptBiZQMTbZBE3=VXK_aA=iDcDJsbWvYg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Archives-Salt: a6d4e5ff-4204-43db-8dda-122d5469333a
X-Archives-Hash: bc3dec832fc823ca81f26aaa676de869

On 9/12/19 1:43 PM, Mike Gilbert wrote:
> 
> They do "go away" if you pass the right options to emerge, or if you
> install it from a binpkg in the first place.
> 

The dependencies are statically linked into the final executable forever
and receive no security updates. Portage doesn't even know they're
there. Depclean doesn't do what you think it does in that case. (I'm
sure you personally understand how this works, but a regular user has no
idea that we've installed 100MB of vulnerable code on his machine and
have just abandoned it there.)