From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 079631396D0 for ; Sun, 13 Aug 2017 02:32:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3B35E1FC048; Sun, 13 Aug 2017 02:32:37 +0000 (UTC) Received: from blaine.gmane.org (unknown [195.159.176.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DC3B71FC006 for ; Sun, 13 Aug 2017 02:32:36 +0000 (UTC) Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1dgihW-0006hc-8k for gentoo-dev@lists.gentoo.org; Sun, 13 Aug 2017 04:32:26 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-dev@lists.gentoo.org From: Duncan <1i5t5.duncan@cox.net> Subject: [gentoo-dev] Re: Revisions for USE flag changes Date: Sun, 13 Aug 2017 02:32:20 +0000 (UTC) Message-ID: References: <1502521423.1045.0.camel@gentoo.org> <4ebddcf6-1d84-684a-6e3c-96bb65c24fd2@gentoo.org> <265b4480-8425-4c52-df23-0cf423e1c7f4@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@blaine.gmane.org User-Agent: Pan/0.143 (Quaint little villages here and there; 3dff8b8f3) X-Archives-Salt: 19a6e12d-b352-4837-94c9-2bd984c08565 X-Archives-Hash: f669a10a5110cfd5b5a2243a5139bd4d Michael Orlitzky posted on Sat, 12 Aug 2017 10:14:18 -0400 as excerpted: > On 08/12/2017 06:29 AM, Rich Freeman wrote: >> >> My gut feeling is that the change you want is probably a good thing, >> but it will never happen if you can't provide a single example of >> something bad happening due to the lack of a revbump. > > There's an unfixed security vulnerability with USE=foo, so we drop the > flag temporarily. Users who had USE=foo enabled will keep the vulnerable > code installed until they update with --changed-use or --newuse. > > Even with the devmanual improvements, the advice we give is conflicting: > > * If you fix an important runtime issue, do a revbump. > > * If you drop a USE flag, don't do a revbump. > > What if you fix a runtime issue by dropping a flag? It's more confusing > than it has to be: the USE flag exception interacts weirdly with all the > other rules. Bad example as it's a security vuln, which requires masking/removing vulnerable versions, which will require a version bump in ordered to prevent downgrades if it was the latest visible for a (stable or ~arch) keyword. So the version bump is effectively mandatory due to security overrides in any case, and that it was fixed by a temporary USE flag drop doesn't change things at all. If that security-override isn't explicit in current documentation, that'd be the bug, not the fact that use-flag drops don't on their own require a version-bump. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman