From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 919C4138334 for ; Wed, 18 Sep 2019 19:15:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 72FB1E08E5; Wed, 18 Sep 2019 19:15:42 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1240CE0833 for ; Wed, 18 Sep 2019 19:15:42 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id B613334B374 for ; Wed, 18 Sep 2019 19:15:39 +0000 (UTC) Subject: Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules To: gentoo-dev@lists.gentoo.org References: <20190916141719.12922-1-williamh@gentoo.org> <20190916141719.12922-2-williamh@gentoo.org> <397fd9bd-d439-1876-c677-8e4a7ee8c7cf@gentoo.org> From: Michael Orlitzky Message-ID: <5ee9a16b-1709-4f79-4308-2b01f13e91d0@gentoo.org> Date: Wed, 18 Sep 2019 15:15:25 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Archives-Salt: 327f95ba-3418-4a32-86fc-ba980d544092 X-Archives-Hash: da4b28afd1f1e93e247296037bc6fbbe On 9/18/19 2:04 PM, Alec Warner wrote: > > I'm actually pretty fine with this wording, upstream has said not to > dynamically link in these use cases. >   Respectfully, the fact that you're OK with it doesn't make it not BS. It reads like "there's no way we can fix this!" when really it means "we don't feel like doing this properly!" Upstreams suggest dumb stuff all the time. We fix it. That's, like, what we do here. > > So if the package *maintainer* bumps each package every time it, or a > dep has a security issue; then updating will work fine. > Simply not true. If there's a security problem in a dependency and if you bump the packages that depend on it... nothing happens. Everyone reinstalls the vulnerable dependency, because the vulnerable dependency is bundled in every single one of those packages.