[gentoo-server] A few questions about portage

[gentoo-server] A few questions about portage

[Ian P. Christian]

[-- Attachment #1: Type: text/plain, Size: 3390 bytes --]

I've recently been spending some time getting to know a little more about 
portage, and I've run into a few issues.

$ emerge --update --deep --newuse world 

It's reasonably well known that the above doesn't update all packages 
installed on a system - I think it only updates packages that are in the 
world file.  Recently, this issue has left a server of mine with a insecure 
version of apache (apache was installed due to a dependency caused by PHP, or 
some application I installed that pulled in php, which in turn pulled in 
apache.).  
The man page does cover this, but it's by no means made obvious - and I think 
this is rather a large issue, as a log of users of gentoo probably don't know 
this.

From the manual: 

       "When you install a package with uninstalled dependencies and do not 
explicitly state those dependencies in the list of parameters, they will not 
be added to the world file.  If you want them to be detected for world 
updates, make sure to explicitly list them as parameters to emerge."

It should have a big WARNING or something next to it IMO.

emerge --depclean will point out what isn't in your world file for you, so you 
can go ahead and add things to the world file manually.  Having done this, 
when you uninstall whatever it was that dragged that dependency in in the 
first place, you will get unneeed packages on the system.

Lets say for examples sake I install mail-client/squirrelmail.  This will pull 
in PHP, which will pull in apache.  In this case, -uD will not update apache 
should a new version appear.  An emerge --depclean will show apache as being 
removable- so apache will need manually adding to the world file.  Now, when 
I uninstall squirrrelmail, apache is no longer needed, but depclean won't 
show that, because I was forced to add it to the world file.  In a lot of 
situations, the package might be a lot more obscure, perhaps some odd 
libraries which now are in the world file, and will stay there, because 
unless I manually look though the world file, and run an 'equery depends' on 
each one, I won't notice they are no longer needed.

So it seems that I either suffer packages not being updated, or am forced into 
adding things into the world file and then face the problem that dependencies 
will not be removable by depclean.

Also, I don't understand why emerge --depclean will show a package, which upon 
doing an 'equery depends' on that package will show that actaully that 
package is needed. Why do these tools contradict each other? Surly depclean 
should have the logic that equery uses to see when a dependency really is 
needed?

glsa-check goes some way to solving the problem, it does check to see if there 
are outdated packages that have been effected by security issues - but it 
doens't update libraries that were installed but aren't in the world file.

Is there a script that's been developed to be cronned to email the sys admin a 
report saying what packages need updating? I noticed that in the last month 
on this list there has been some useful information about running glsa-check 
and rsynicng just part of the portage tree. This kind of thing is intregal to 
running a server, and if no such script exists in the portage tree, I will 
attempt to write one.

Kind Regards,

-- 
Ian P. Christian ~ http://pookey.co.uk

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] A few questions about portage

[Matthew Lange]

I have the following as an emerge.sh script in my croon.daily directory.
 I used to have a lock file to prevent multiple copies from running, but
I now use fcron, which has this feature built-in.  By default, all
output gets mailed to root, which I have aliased to me.

---snip---
    emerge sync  2>&1 > /dev/null
        echo 'emerge system:'
        emerge -pv --nocolor system
        echo 'emerge world:'
        emerge -pv --nocolor world
        /usr/bin/revdep-rebuild --pretend --quiet --nocolor
---snip---

Unfortunately, ANSI color is hard-coded into the utilities, so I get a
few control-characters in the output...but it works OK.

I have a better one I wrote, but I'll need to find it...I'll post it later.

Matt



Ian P. Christian wrote:
> I've recently been spending some time getting to know a little more about 
> portage, and I've run into a few issues.
> 
> $ emerge --update --deep --newuse world 
> 
> It's reasonably well known that the above doesn't update all packages 
> installed on a system - I think it only updates packages that are in the 
> world file.  Recently, this issue has left a server of mine with a insecure 
> version of apache (apache was installed due to a dependency caused by PHP, or 
> some application I installed that pulled in php, which in turn pulled in 
> apache.).  
> The man page does cover this, but it's by no means made obvious - and I think 
> this is rather a large issue, as a log of users of gentoo probably don't know 
> this.
> 
> From the manual: 
> 
>        "When you install a package with uninstalled dependencies and do not 
> explicitly state those dependencies in the list of parameters, they will not 
> be added to the world file.  If you want them to be detected for world 
> updates, make sure to explicitly list them as parameters to emerge."
> 
> It should have a big WARNING or something next to it IMO.
> 
> emerge --depclean will point out what isn't in your world file for you, so you 
> can go ahead and add things to the world file manually.  Having done this, 
> when you uninstall whatever it was that dragged that dependency in in the 
> first place, you will get unneeed packages on the system.
> 
> Lets say for examples sake I install mail-client/squirrelmail.  This will pull 
> in PHP, which will pull in apache.  In this case, -uD will not update apache 
> should a new version appear.  An emerge --depclean will show apache as being 
> removable- so apache will need manually adding to the world file.  Now, when 
> I uninstall squirrrelmail, apache is no longer needed, but depclean won't 
> show that, because I was forced to add it to the world file.  In a lot of 
> situations, the package might be a lot more obscure, perhaps some odd 
> libraries which now are in the world file, and will stay there, because 
> unless I manually look though the world file, and run an 'equery depends' on 
> each one, I won't notice they are no longer needed.
> 
> So it seems that I either suffer packages not being updated, or am forced into 
> adding things into the world file and then face the problem that dependencies 
> will not be removable by depclean.
> 
> Also, I don't understand why emerge --depclean will show a package, which upon 
> doing an 'equery depends' on that package will show that actaully that 
> package is needed. Why do these tools contradict each other? Surly depclean 
> should have the logic that equery uses to see when a dependency really is 
> needed?
> 
> glsa-check goes some way to solving the problem, it does check to see if there 
> are outdated packages that have been effected by security issues - but it 
> doens't update libraries that were installed but aren't in the world file.
> 
> Is there a script that's been developed to be cronned to email the sys admin a 
> report saying what packages need updating? I noticed that in the last month 
> on this list there has been some useful information about running glsa-check 
> and rsynicng just part of the portage tree. This kind of thing is intregal to 
> running a server, and if no such script exists in the portage tree, I will 
> attempt to write one.
> 
> Kind Regards,
> 
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] A few questions about portage

[Ben Munat]

Ian,

I was just going on about a similar concern to yours and Chris Schwerdt replied just this 
morning with this:

<snip>
Give unclepine a try (unclepine -u).
http://forums.gentoo.org/viewtopic.php?t=260866
</snip>

I tried it out and it seems to work pretty well. The author claims that equery depends 
isn't very reliable. I tried unclepine with glib -- which "emerge --depclean" said it 
wanted to remove, but "equery depends" said is depended on by a bunch of packages -- and 
it says glib is not depended on by anything. Go figure.

I agree that there are definitely some rough spots in portage (though you should switch to 
FreeBSD and see how much of a mess the Ports system is in comparison). I've been using 
gentoo for a couple years and I just figured out the stuff about packages not getting 
updated if it's not in the world file.

Oh, by the way emerge -uD world will update dependencies of everything in the world file, 
even if there not in the world file themselves... it's the stuff that gets emerged and 
then stops being a dependency of something else that's the problem. Although, I suppose 
one could make the weak argument that, if a package is no longer a dependency of anything, 
it's probably not going to be exercised. Still, it seems this would be pretty simple to 
solve if there were an "emerge *", that checked every package on your machine for an update.

b

PS: just before I sent this I had a hunch and tried "equery depends glibc"... it has the 
same output as "equery depends glib". So, that was just a lack of specificity on my 
part... though equery really should squawk if a pkg is not specific enough (or not found). 
If I try "equery depends dev-libs/glib" it comes back with no dependencies.




Ian P. Christian wrote:
> I've recently been spending some time getting to know a little more about 
> portage, and I've run into a few issues.
> 
> $ emerge --update --deep --newuse world 
> 
> It's reasonably well known that the above doesn't update all packages 
> installed on a system - I think it only updates packages that are in the 
> world file.  Recently, this issue has left a server of mine with a insecure 
> version of apache (apache was installed due to a dependency caused by PHP, or 
> some application I installed that pulled in php, which in turn pulled in 
> apache.).  
> The man page does cover this, but it's by no means made obvious - and I think 
> this is rather a large issue, as a log of users of gentoo probably don't know 
> this.
> 
> From the manual: 
> 
>        "When you install a package with uninstalled dependencies and do not 
> explicitly state those dependencies in the list of parameters, they will not 
> be added to the world file.  If you want them to be detected for world 
> updates, make sure to explicitly list them as parameters to emerge."
> 
> It should have a big WARNING or something next to it IMO.
> 
> emerge --depclean will point out what isn't in your world file for you, so you 
> can go ahead and add things to the world file manually.  Having done this, 
> when you uninstall whatever it was that dragged that dependency in in the 
> first place, you will get unneeed packages on the system.
> 
> Lets say for examples sake I install mail-client/squirrelmail.  This will pull 
> in PHP, which will pull in apache.  In this case, -uD will not update apache 
> should a new version appear.  An emerge --depclean will show apache as being 
> removable- so apache will need manually adding to the world file.  Now, when 
> I uninstall squirrrelmail, apache is no longer needed, but depclean won't 
> show that, because I was forced to add it to the world file.  In a lot of 
> situations, the package might be a lot more obscure, perhaps some odd 
> libraries which now are in the world file, and will stay there, because 
> unless I manually look though the world file, and run an 'equery depends' on 
> each one, I won't notice they are no longer needed.
> 
> So it seems that I either suffer packages not being updated, or am forced into 
> adding things into the world file and then face the problem that dependencies 
> will not be removable by depclean.
> 
> Also, I don't understand why emerge --depclean will show a package, which upon 
> doing an 'equery depends' on that package will show that actaully that 
> package is needed. Why do these tools contradict each other? Surly depclean 
> should have the logic that equery uses to see when a dependency really is 
> needed?
> 
> glsa-check goes some way to solving the problem, it does check to see if there 
> are outdated packages that have been effected by security issues - but it 
> doens't update libraries that were installed but aren't in the world file.
> 
> Is there a script that's been developed to be cronned to email the sys admin a 
> report saying what packages need updating? I noticed that in the last month 
> on this list there has been some useful information about running glsa-check 
> and rsynicng just part of the portage tree. This kind of thing is intregal to 
> running a server, and if no such script exists in the portage tree, I will 
> attempt to write one.
> 
> Kind Regards,
> 
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] A few questions about portage

[z3rosix]

Hello,

maybe i'm wrong but doens't "emerge -pv world" include "emerge -pv
system" ???
so you just need to "emerge world"
and bye the way you can use "emerge --sync -q" so you got only erros
emailed.


greetz

alex

On Mon, Sep 12, 2005 at 02:52:16PM -0500, Matthew Lange wrote:
> I have the following as an emerge.sh script in my croon.daily directory.
>  I used to have a lock file to prevent multiple copies from running, but
> I now use fcron, which has this feature built-in.  By default, all
> output gets mailed to root, which I have aliased to me.
> 
> ---snip---
>     emerge sync  2>&1 > /dev/null
>         echo 'emerge system:'
>         emerge -pv --nocolor system
>         echo 'emerge world:'
>         emerge -pv --nocolor world
>         /usr/bin/revdep-rebuild --pretend --quiet --nocolor
> ---snip---
> 
> Unfortunately, ANSI color is hard-coded into the utilities, so I get a
> few control-characters in the output...but it works OK.
> 
> I have a better one I wrote, but I'll need to find it...I'll post it later.
> 
> Matt
> 
> 
> 
> Ian P. Christian wrote:
> > I've recently been spending some time getting to know a little more about 
> > portage, and I've run into a few issues.
> > 
> > $ emerge --update --deep --newuse world 
> > 
> > It's reasonably well known that the above doesn't update all packages 
> > installed on a system - I think it only updates packages that are in the 
> > world file.  Recently, this issue has left a server of mine with a insecure 
> > version of apache (apache was installed due to a dependency caused by PHP, or 
> > some application I installed that pulled in php, which in turn pulled in 
> > apache.).  
> > The man page does cover this, but it's by no means made obvious - and I think 
> > this is rather a large issue, as a log of users of gentoo probably don't know 
> > this.
> > 
> > From the manual: 
> > 
> >        "When you install a package with uninstalled dependencies and do not 
> > explicitly state those dependencies in the list of parameters, they will not 
> > be added to the world file.  If you want them to be detected for world 
> > updates, make sure to explicitly list them as parameters to emerge."
> > 
> > It should have a big WARNING or something next to it IMO.
> > 
> > emerge --depclean will point out what isn't in your world file for you, so you 
> > can go ahead and add things to the world file manually.  Having done this, 
> > when you uninstall whatever it was that dragged that dependency in in the 
> > first place, you will get unneeed packages on the system.
> > 
> > Lets say for examples sake I install mail-client/squirrelmail.  This will pull 
> > in PHP, which will pull in apache.  In this case, -uD will not update apache 
> > should a new version appear.  An emerge --depclean will show apache as being 
> > removable- so apache will need manually adding to the world file.  Now, when 
> > I uninstall squirrrelmail, apache is no longer needed, but depclean won't 
> > show that, because I was forced to add it to the world file.  In a lot of 
> > situations, the package might be a lot more obscure, perhaps some odd 
> > libraries which now are in the world file, and will stay there, because 
> > unless I manually look though the world file, and run an 'equery depends' on 
> > each one, I won't notice they are no longer needed.
> > 
> > So it seems that I either suffer packages not being updated, or am forced into 
> > adding things into the world file and then face the problem that dependencies 
> > will not be removable by depclean.
> > 
> > Also, I don't understand why emerge --depclean will show a package, which upon 
> > doing an 'equery depends' on that package will show that actaully that 
> > package is needed. Why do these tools contradict each other? Surly depclean 
> > should have the logic that equery uses to see when a dependency really is 
> > needed?
> > 
> > glsa-check goes some way to solving the problem, it does check to see if there 
> > are outdated packages that have been effected by security issues - but it 
> > doens't update libraries that were installed but aren't in the world file.
> > 
> > Is there a script that's been developed to be cronned to email the sys admin a 
> > report saying what packages need updating? I noticed that in the last month 
> > on this list there has been some useful information about running glsa-check 
> > and rsynicng just part of the portage tree. This kind of thing is intregal to 
> > running a server, and if no such script exists in the portage tree, I will 
> > attempt to write one.
> > 
> > Kind Regards,
> > 
> -- 
> gentoo-server@gentoo.org mailing list
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] A few questions about portage

[Ian P. Christian]

[-- Attachment #1: Type: text/plain, Size: 512 bytes --]

On Thursday 15 September 2005 08:45, z3rosix@my-mail.ch wrote:
> maybe i'm wrong but doens't "emerge -pv world" include "emerge -pv
> system" ???
> so you just need to "emerge world"
> and bye the way you can use "emerge --sync -q" so you got only erros
> emailed.

I was curious as to why that was done too.  Eitherway, doing an emerge world 
will still leave out of date, possibly insecure packages on the system, so I 
wouldn't advise relying on that.

-- 
Ian P. Christian ~ http://pookey.co.uk

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] A few questions about portage

[Matthew Lange]

I originally did that to see the difference between 'emerge system' and
'emerge world', since system packages are supposed to only be the ones
necessary for the operation of the system.

I have a lot of boxes that I manage, so I can't always afford the
compile time/downtime on all of them, so I mostly just 'emerge system'
on those boxes.

Then I look at the 'emerge world' output to see if I really need to
update the boxes with those packages, since they are mostly version
bumps and may not be as critical.


Matt

Ian P. Christian wrote:
> On Thursday 15 September 2005 08:45, z3rosix@my-mail.ch wrote:
> 
>>maybe i'm wrong but doens't "emerge -pv world" include "emerge -pv
>>system" ???
>>so you just need to "emerge world"
>>and bye the way you can use "emerge --sync -q" so you got only erros
>>emailed.
> 
> 
> I was curious as to why that was done too.  Eitherway, doing an emerge world 
> will still leave out of date, possibly insecure packages on the system, so I 
> wouldn't advise relying on that.
> 
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] A few questions about portage

[Ben Munat]

Yes, but it's possible to have packages on your machine that aren't in system or world. 
And you can also have packages on machine that aren't even dependecies of packages in 
system or world. This surprised me. But, I suppose it's bound to happen as packages mature 
and old dependencies go away.

b

z3rosix@my-mail.ch wrote:
> Hello,
> 
> maybe i'm wrong but doens't "emerge -pv world" include "emerge -pv
> system" ???
> so you just need to "emerge world"
> and bye the way you can use "emerge --sync -q" so you got only erros
> emailed.
> 
> 
> greetz
> 
> alex
> 
> On Mon, Sep 12, 2005 at 02:52:16PM -0500, Matthew Lange wrote:
> 
>>I have the following as an emerge.sh script in my croon.daily directory.
>> I used to have a lock file to prevent multiple copies from running, but
>>I now use fcron, which has this feature built-in.  By default, all
>>output gets mailed to root, which I have aliased to me.
>>
>>---snip---
>>    emerge sync  2>&1 > /dev/null
>>        echo 'emerge system:'
>>        emerge -pv --nocolor system
>>        echo 'emerge world:'
>>        emerge -pv --nocolor world
>>        /usr/bin/revdep-rebuild --pretend --quiet --nocolor
>>---snip---
>>
>>Unfortunately, ANSI color is hard-coded into the utilities, so I get a
>>few control-characters in the output...but it works OK.
>>
>>I have a better one I wrote, but I'll need to find it...I'll post it later.
>>
>>Matt
>>
>>
>>
>>Ian P. Christian wrote:
>>
>>>I've recently been spending some time getting to know a little more about 
>>>portage, and I've run into a few issues.
>>>
>>>$ emerge --update --deep --newuse world 
>>>
>>>It's reasonably well known that the above doesn't update all packages 
>>>installed on a system - I think it only updates packages that are in the 
>>>world file.  Recently, this issue has left a server of mine with a insecure 
>>>version of apache (apache was installed due to a dependency caused by PHP, or 
>>>some application I installed that pulled in php, which in turn pulled in 
>>>apache.).  
>>>The man page does cover this, but it's by no means made obvious - and I think 
>>>this is rather a large issue, as a log of users of gentoo probably don't know 
>>>this.
>>>
>>>From the manual: 
>>>
>>>       "When you install a package with uninstalled dependencies and do not 
>>>explicitly state those dependencies in the list of parameters, they will not 
>>>be added to the world file.  If you want them to be detected for world 
>>>updates, make sure to explicitly list them as parameters to emerge."
>>>
>>>It should have a big WARNING or something next to it IMO.
>>>
>>>emerge --depclean will point out what isn't in your world file for you, so you 
>>>can go ahead and add things to the world file manually.  Having done this, 
>>>when you uninstall whatever it was that dragged that dependency in in the 
>>>first place, you will get unneeed packages on the system.
>>>
>>>Lets say for examples sake I install mail-client/squirrelmail.  This will pull 
>>>in PHP, which will pull in apache.  In this case, -uD will not update apache 
>>>should a new version appear.  An emerge --depclean will show apache as being 
>>>removable- so apache will need manually adding to the world file.  Now, when 
>>>I uninstall squirrrelmail, apache is no longer needed, but depclean won't 
>>>show that, because I was forced to add it to the world file.  In a lot of 
>>>situations, the package might be a lot more obscure, perhaps some odd 
>>>libraries which now are in the world file, and will stay there, because 
>>>unless I manually look though the world file, and run an 'equery depends' on 
>>>each one, I won't notice they are no longer needed.
>>>
>>>So it seems that I either suffer packages not being updated, or am forced into 
>>>adding things into the world file and then face the problem that dependencies 
>>>will not be removable by depclean.
>>>
>>>Also, I don't understand why emerge --depclean will show a package, which upon 
>>>doing an 'equery depends' on that package will show that actaully that 
>>>package is needed. Why do these tools contradict each other? Surly depclean 
>>>should have the logic that equery uses to see when a dependency really is 
>>>needed?
>>>
>>>glsa-check goes some way to solving the problem, it does check to see if there 
>>>are outdated packages that have been effected by security issues - but it 
>>>doens't update libraries that were installed but aren't in the world file.
>>>
>>>Is there a script that's been developed to be cronned to email the sys admin a 
>>>report saying what packages need updating? I noticed that in the last month 
>>>on this list there has been some useful information about running glsa-check 
>>>and rsynicng just part of the portage tree. This kind of thing is intregal to 
>>>running a server, and if no such script exists in the portage tree, I will 
>>>attempt to write one.
>>>
>>>Kind Regards,
>>>
>>
>>-- 
>>gentoo-server@gentoo.org mailing list
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] A few questions about portage

[Ian P. Christian]

[-- Attachment #1: Type: text/plain, Size: 410 bytes --]

On Thursday 15 September 2005 16:49, Matthew Lange wrote:
> Then I look at the 'emerge world' output to see if I really need to
> update the boxes with those packages, since they are mostly version
> bumps and may not be as critical.

Are you aware that both emerge world, and emerge system can leave your system 
insecure by failing to upgrade packages? 

-- 
Ian P. Christian ~ http://pookey.co.uk

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] A few questions about portage

[z3rosix]

On Thu, Sep 15, 2005 at 04:06:24PM +0100, Ian P. Christian wrote:
> On Thursday 15 September 2005 08:45, z3rosix@my-mail.ch wrote:
> > maybe i'm wrong but doens't "emerge -pv world" include "emerge -pv
> > system" ???
> > so you just need to "emerge world"
> > and bye the way you can use "emerge --sync -q" so you got only erros
> > emailed.
> 
> I was curious as to why that was done too.  Eitherway, doing an emerge world 
> will still leave out of date, possibly insecure packages on the system, so I 
> wouldn't advise relying on that.
> 
> -- 
> Ian P. Christian ~ http://pookey.co.uk

yes but these packages can you get with "glsa-check -t all".                                                                                     
I have an server with gentoo and run every day "emerge --sync -q" and                                                                            
"glsa-check -t all", also i think about "revdep-rebuild -pq"                                                                                     
                                                                                                                                                 
																		 I'm sure that i don't get all packages which need to update, but if one of them has an seucirty issue i will get it, and this is enough for me ;_)
																		 greetz
																		 alex
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] A few questions about portage

[Christian Ehlers]

I am doing the following:

1. qpkg -I -nc |xargs emerge -u

2. revdep-rebuild

I am wondering if this is sufficient?  Basically as far as I understand
it, 1. will check for updates on all packages installed, and 2. will
check if anything needs recompiling because a shared library has been
updated.

Anything else I need to do to make sure my system is up2date?  Maybe I
missed something in the replies, but as far as I understood it
(admitting that English isn't my 1st or 2nd language) there was no real
solution posted yet?

Should I still do an emerge -u --deep world (+ --newuse if I change the
use variable?)

Regards,

  Christian Ehlers 



On Mon, 2005-09-12 at 18:52 +0100, Ian P. Christian wrote:
> I've recently been spending some time getting to know a little more about 
> portage, and I've run into a few issues.
> 
> $ emerge --update --deep --newuse world 
> 
> It's reasonably well known that the above doesn't update all packages 
> installed on a system - I think it only updates packages that are in the 
> world file.  Recently, this issue has left a server of mine with a insecure 
> version of apache (apache was installed due to a dependency caused by PHP, or 
> some application I installed that pulled in php, which in turn pulled in 
> apache.).  
> The man page does cover this, but it's by no means made obvious - and I think 
> this is rather a large issue, as a log of users of gentoo probably don't know 
> this.
> 
> From the manual: 
> 
>        "When you install a package with uninstalled dependencies and do not 
> explicitly state those dependencies in the list of parameters, they will not 
> be added to the world file.  If you want them to be detected for world 
> updates, make sure to explicitly list them as parameters to emerge."
> 
[.......]
> Kind Regards,
> 

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] A few questions about portage

[Marius Mauch]

Christian Ehlers wrote:
> I am doing the following:
> 
> 1. qpkg -I -nc |xargs emerge -u
> 
> 2. revdep-rebuild
> 
> I am wondering if this is sufficient?  Basically as far as I understand
> it, 1. will check for updates on all packages installed, and 2. will
> check if anything needs recompiling because a shared library has been
> updated.
> 
> Anything else I need to do to make sure my system is up2date?  Maybe I
> missed something in the replies, but as far as I understood it
> (admitting that English isn't my 1st or 2nd language) there was no real
> solution posted yet?
> 
> Should I still do an emerge -u --deep world (+ --newuse if I change the
> use variable?)

First: don't use qpkg, it's dead and has several conceptual bugs 
(causing for example wrong results for the command you use). New 
gentoolkit versions already don't install it anymore (except for a copy 
in the docs dir).
As for general update procedure, I'd recommend:
- glsa-check -l $(glsa-check -t new)
- Update those packages first (glsa-check -f new, might cause some 
redundant updates though later due to a different update strategy)
- emerge -uavDN world
- emerge -p --depclean
- Check that list and either remove the packages or add them to the 
world file
- revdep-rebuild || revdep-rebuild -X

This requires and ensures that your worldfile is always uptodate and 
correct, thought you might have already corrupted it with your qpkg 
trick (as in some versions -u added a package to world).

Marius
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] A few questions about portage

[Alex Efros]

[-- Attachment #1: Type: text/plain, Size: 3340 bytes --]

Hi!

On Mon, Sep 12, 2005 at 06:52:31PM +0100, Ian P. Christian wrote:
> The man page does cover this, but it's by no means made obvious - and I think 
> this is rather a large issue, as a log of users of gentoo probably don't know 
> this.

Yep. :( And there exists some things which probably (was?) not covered by
manuals - I've spend a lot of time reading forums to make clear how to
use portage in SAFE way. I've summarized this information and post in
forum, but, sorry, it's in russian - I've no time to translate it now.
It's available here: http://gentoo.ru/node/193 (if somebody wanna translate).

In short, to update system in __SAFE__ way:

1. Check /var/lib/portage/world:
    - it shouldn't contain any libraries and software which YOU don't need
      and which is just dependent by some other packages
    - it shouldn't contain packages which are in 'system'
    - is shouldn't contain packages with version/revision number
      
2. Check /etc/portage/* files because they can contain non-actual things
   which prevent you upgrade in right way now.
   
3. Rarely, but profile update may be needed (usually when old profile
   become deprecated or when switching to hardened, etc.).
   
4. USE flags for some packages may be changed. To detect this, run

    emerge -uDNpv world
    
   and review flags for all critical (for you) packages.
   
5. If none from toolchain (linux-headers, glibc, binutils, gcc) packages
   wanna upgrade then just run
   
    emerge -uDNav world
    
   else things become more complicated because for a number of reasons
   it's good idea to recompile all system in this way:
   
    # clean $pkgdir in some way to optimize compilation speed by
    # building/using binary packages:
    pkgdir=$(portageq pkgdir)
    mv $pkgdir /tmp/portage-packages
    install -d -o portage -g portage $pkgdir
    # compile toolchain: first pass
    emerge linux-headers glibc binutils gcc-config gcc
	# select new gcc if it was installed in new SLOT
	gcc-config ...
	source /etc/profile
    # compile toolchain: second pass + make binary packages
    emerge -b glibc binutils gcc portage
    # recompile system (toolchain used from binary packages to save time)
    emerge -bke system
    # recompile world (system used from binary packages to save time)
    emerge -ke world

6. Even after this there may exists not updated packages with security
   holes (in SLOTs), so:

    glsa-check -l | grep '\[N\]'
    emerge ...	# manually update needed packages

7. Remove unneeded dependencies:

    emerge -a depclean
    emerge -uDNav world	    # fix possible errors in depclean

8. After updating libraries there may be needed to recompile something:

    rm /root/.revdep-rebuild*.?_*
    revdep-rebuild

9. Update config files:

    dispatch-conf

10. While updating package some ebuilds print important information
    (which is lost which batch update, of course). To review this
    information you need `enotice` or `portlog-info` tools.

11. ... Joke! That's all, folks! :-))


Of course, not all these steps needed every day, but ... Anyway, without
manual actions and a lot of attention it's impossible to update system
in safe way. This isn't Gentoo problem, of course, same issues exists in
other distributions, but they are mostly hidden and hit you when you
don't expect. :(

-- 
			WBR, Alex.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]