From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HIQWw-0004kJ-U8 for garchives@archives.gentoo.org; Sat, 17 Feb 2007 14:27:15 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1HEQVKK022322; Sat, 17 Feb 2007 14:26:31 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1HEQU0c022317 for ; Sat, 17 Feb 2007 14:26:31 GMT Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 4F24164B69 for ; Sat, 17 Feb 2007 14:26:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -2.283 X-Spam-Level: X-Spam-Status: No, score=-2.283 required=5.5 tests=[AWL=0.181, BAYES_00=-2.599, FORGED_RCVD_HELO=0.135] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RyJWYMraGGoz for ; Sat, 17 Feb 2007 14:26:21 +0000 (UTC) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by smtp.gentoo.org (Postfix) with ESMTP id 192BB6414E for ; Sat, 17 Feb 2007 14:26:20 +0000 (UTC) Received: from [82.83.37.187] (helo=sheridan.genone.homeip.net) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1HIQW24BYR-0004aK; Sat, 17 Feb 2007 15:26:19 +0100 Date: Sat, 17 Feb 2007 15:28:54 +0100 From: Marius Mauch To: gentoo-portage-dev@lists.gentoo.org Subject: Re: [gentoo-portage-dev] New preserve-libs feature Message-ID: <20070217152854.15e77c65@sheridan.genone.homeip.net> In-Reply-To: <45D7094E.7070606@gentoo.org> References: <20070217144914.593f376b@sheridan.genone.homeip.net> <45D7094E.7070606@gentoo.org> Organization: Gentoo X-Mailer: Claws Mail 2.7.2 (GTK+ 2.10.9; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-portage-dev@gentoo.org Reply-to: gentoo-portage-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_A1YOvs=qsxmudREY6IhhgyY"; protocol="application/pgp-signature"; micalg=PGP-SHA1 X-Provags-ID: kundenserver.de abuse@kundenserver.de login:7e6c91d1b14dbccceb2f2166522fa0f6 X-Provags-ID2: V01U2FsdGVkX1+M18nHyfr83b5TzlTfeQyjz+4mS9wdl2dj3qKPxQaQumGn97TclATS+ZC1rzKJdMNMrOeLugH5hRWkQARv1lHPY7pzoXuyXgP0GW8xvNZIQA== X-Archives-Salt: 91713298-80a6-47e1-93ea-4f3f55200642 X-Archives-Hash: d88d367eb5f0a4d75fb92873098c8e50 --Sig_A1YOvs=qsxmudREY6IhhgyY Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sat, 17 Feb 2007 14:55:26 +0100 Simon Stelling wrote: > Marius Mauch wrote: > > So everyone who has valid objections to the _general idea_ of this > > implementation (preserving old libraries to avoid some runtime > > linker errors) speak up now.=20 >=20 > For how long are these libraries preserved? This might have a security > impact in cases like the recent openssl-case where you had to upgrade > to an incompatible ABI because the version using the old one was > vulnerable. Using preserve-libs it would leave the old lib around, > making it possible for programs to link against the wrong version and > ending up being vulnerable. I realize that the feature is meant to > help the transitional phase until all apps are built against the new > ABI, but how would you find these vulnerable apps currently? > revdep-rebuild wouldn't rebuild them since they are still functional. Currently they are around as long as they are referenced by other packages or until the package is unmerged. And yes, there should be a way to tell revdep-rebuild/the user which packages should/need to be rebuilt, but I haven't made my mind up yet on how to accomplish that (in fact atm there is no separation between "native" and "imported" libs in vdb, I'm aware that needs to be added). Marius --=20 Public Key at http://www.genone.de/info/gpg-key.pub In the beginning, there was nothing. And God said, 'Let there be Light.' And there was still nothing, but you could see a bit better. --Sig_A1YOvs=qsxmudREY6IhhgyY Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.2 (GNU/Linux) iD8DBQFF1xEqWzrL1pM7SNcRAvDvAJ0eyURC8jrKTvkuKNtWMntQJ+GyBwCfe8ku yfqFiMEcDTDja+zGfSQ08ec= =KYRb -----END PGP SIGNATURE----- --Sig_A1YOvs=qsxmudREY6IhhgyY-- -- gentoo-portage-dev@gentoo.org mailing list