[gentoo-dev] Re: Revisions for USE flag changes

[Duncan <1i5t5.duncan@cox.net>]

Michael Orlitzky posted on Sat, 12 Aug 2017 10:14:18 -0400 as excerpted:

> On 08/12/2017 06:29 AM, Rich Freeman wrote:
>> 
>> My gut feeling is that the change you want is probably a good thing,
>> but it will never happen if you can't provide a single example of
>> something bad happening due to the lack of a revbump.
> 
> There's an unfixed security vulnerability with USE=foo, so we drop the
> flag temporarily. Users who had USE=foo enabled will keep the vulnerable
> code installed until they update with --changed-use or --newuse.
> 
> Even with the devmanual improvements, the advice we give is conflicting:
> 
>   * If you fix an important runtime issue, do a revbump.
> 
>   * If you drop a USE flag, don't do a revbump.
> 
> What if you fix a runtime issue by dropping a flag? It's more confusing
> than it has to be: the USE flag exception interacts weirdly with all the
> other rules.

Bad example as it's a security vuln, which requires masking/removing 
vulnerable versions, which will require a version bump in ordered to 
prevent downgrades if it was the latest visible for a (stable or ~arch) 
keyword.

So the version bump is effectively mandatory due to security overrides in 
any case, and that it was fixed by a temporary USE flag drop doesn't 
change things at all.  If that security-override isn't explicit in 
current documentation, that'd be the bug, not the fact that use-flag 
drops don't on their own require a version-bump.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman