From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 6149F138334 for ; Thu, 12 Sep 2019 21:23:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 34963E0CC5; Thu, 12 Sep 2019 21:23:44 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C4356E0CBA for ; Thu, 12 Sep 2019 21:23:43 +0000 (UTC) Received: from mail-io1-f49.google.com (mail-io1-f49.google.com [209.85.166.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: floppym) by smtp.gentoo.org (Postfix) with ESMTPSA id 79D3E34B0E2 for ; Thu, 12 Sep 2019 21:23:41 +0000 (UTC) Received: by mail-io1-f49.google.com with SMTP id n197so58359178iod.9 for ; Thu, 12 Sep 2019 14:23:41 -0700 (PDT) X-Gm-Message-State: APjAAAWWhF+teyp4LOXDn66+Z48j1xpLGKoOGzagWoUXXpg+bErI/9cv r+yjOMksBFV4F1EhPeCaMq7nV8Uh+nw2lLXgytk= X-Google-Smtp-Source: APXvYqyWEx9glS5u1tmUAIh9+QCWmwAYUF/FJFpYxnARkV2bfR79jM44aqEeTjhdYFLKEKAwsSybRWc+PaS4wL6rrDU= X-Received: by 2002:a02:94:: with SMTP id 142mr41550093jaa.4.1568323419385; Thu, 12 Sep 2019 14:23:39 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <20190911172128.18885-1-williamh@gentoo.org> <20190911172128.18885-4-williamh@gentoo.org> <20190911234815.GA21591@whubbs1.dev.av1.gaikai.org> <20190912154634.GB23846@whubbs1.dev.av1.gaikai.org> <88094567-323c-6f6a-a1d9-0c1b77ef53e3@gentoo.org> <6acd490e-6393-62e4-5d07-71c2a3624417@gentoo.org> <2db31450-63e5-2ecc-ff3b-1858c760b287@gentoo.org> <4ccab80c-fc9e-c843-8a1b-50a329abf6c1@gentoo.org> In-Reply-To: <4ccab80c-fc9e-c843-8a1b-50a329abf6c1@gentoo.org> From: Mike Gilbert Date: Thu, 12 Sep 2019 17:23:27 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [gentoo-dev] [PATCH 3/3] dev-vcs/hub: migrate to go-module.eclass To: Gentoo Dev Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 50bb1f77-7244-4443-92ec-5d6b479aacf6 X-Archives-Hash: 8f23c0c3895e71969dc210da8c094ed9 On Thu, Sep 12, 2019 at 5:11 PM Michael Orlitzky wrote: > > On 9/12/19 1:43 PM, Mike Gilbert wrote: > > > > They do "go away" if you pass the right options to emerge, or if you > > install it from a binpkg in the first place. > > > > The dependencies are statically linked into the final executable forever > and receive no security updates. Portage doesn't even know they're > there. Depclean doesn't do what you think it does in that case. (I'm > sure you personally understand how this works, but a regular user has no > idea that we've installed 100MB of vulnerable code on his machine and > have just abandoned it there.) Putting the dependencies in RDEPEND means users get stuck with yet another copy of the code installed, in addition to the copy that is statically linked into all reverse dependencies. It's not a very good solution to the problem.