From: Marius Mauch <genone@gentoo.org>
To: gentoo-portage-dev@lists.gentoo.org
Subject: Re: [gentoo-portage-dev] New preserve-libs feature
Date: Sat, 17 Feb 2007 15:28:54 +0100 [thread overview]
Message-ID: <20070217152854.15e77c65@sheridan.genone.homeip.net> (raw)
In-Reply-To: <45D7094E.7070606@gentoo.org>
[-- Attachment #1: Type: text/plain, Size: 1525 bytes --]
On Sat, 17 Feb 2007 14:55:26 +0100
Simon Stelling <blubb@gentoo.org> wrote:
> Marius Mauch wrote:
> > So everyone who has valid objections to the _general idea_ of this
> > implementation (preserving old libraries to avoid some runtime
> > linker errors) speak up now.
>
> For how long are these libraries preserved? This might have a security
> impact in cases like the recent openssl-case where you had to upgrade
> to an incompatible ABI because the version using the old one was
> vulnerable. Using preserve-libs it would leave the old lib around,
> making it possible for programs to link against the wrong version and
> ending up being vulnerable. I realize that the feature is meant to
> help the transitional phase until all apps are built against the new
> ABI, but how would you find these vulnerable apps currently?
> revdep-rebuild wouldn't rebuild them since they are still functional.
Currently they are around as long as they are referenced by other
packages or until the package is unmerged. And yes, there should be a
way to tell revdep-rebuild/the user which packages should/need to be
rebuilt, but I haven't made my mind up yet on how to accomplish that
(in fact atm there is no separation between "native" and "imported"
libs in vdb, I'm aware that needs to be added).
Marius
--
Public Key at http://www.genone.de/info/gpg-key.pub
In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
prev parent reply other threads:[~2007-02-17 14:27 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-17 13:49 [gentoo-portage-dev] New preserve-libs feature Marius Mauch
2007-02-17 13:55 ` Simon Stelling
2007-02-17 14:03 ` Mike Frysinger
2007-02-17 14:32 ` Brian Harring
2007-02-17 14:39 ` Mike Frysinger
2007-02-17 15:02 ` Brian Harring
2007-02-17 15:09 ` Mike Frysinger
2007-02-17 15:36 ` Brian Harring
2007-02-17 16:39 ` Mike Frysinger
2007-02-17 20:56 ` [gentoo-portage-dev] " Duncan
2007-02-18 5:45 ` Paul Varner
2007-02-18 14:18 ` Duncan
2007-02-23 13:22 ` Carsten Lohrke
2007-02-23 15:31 ` Marius Mauch
2007-02-24 6:51 ` Duncan
2007-02-17 14:28 ` Marius Mauch [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070217152854.15e77c65@sheridan.genone.homeip.net \
--to=genone@gentoo.org \
--cc=gentoo-portage-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox