[gentoo-server] glsa-check and unused packages

[gentoo-server] glsa-check and unused packages

[Ben Munat]

On running glsa-check, it claims that I'm vulnerable to 17 glsa's. I keep my system very 
up-to-date with a daily "emerge world" and a weekly "emerge -uD world". So, I was a bit 
surprised to find that I was vulnerable to so many glsa's. However, in researching this, 
I've come up with a couple questsions.

First, glsa-check claims that I'm vulnerable to 200412-02 and 200505-01. The first is 
pdflib and the second is various horde packages. However, I have the current versions of 
these installed -- the versions that the glsa says I need to solve the vulnerability. So, 
why would glsa-check say I'm vulnerable when I'm not?

The next question is less about glsa-check and more about package dependencies. I was 
initially confused how I could have any package on my system that's not at the latest 
stable version, but I see now how emerge -uD world will only update the explicit 
dependencies of the packages listed in my world file. So, most of these un-updated 
packages must have been pulled in as a dependency at some point, but the package that 
needed them later stopped needing them. As I'd like to keep my installed packages down to 
what is only necessary (and avoid having vulnerable packages on my system), it would seem 
best to just uninstall these. But, I'd also like to be sure they're really ununsed.

The only tool I've been able to find to check dependencies is "equery depends" (which, 
strangely enough, the man page says is unimplemented, but the gentoolkit page 
(http://www.gentoo.org/doc/en/gentoolkit.xml) quite happily recommends using). I tested it 
on some packages that are clearly needed (mysql, php) and it did find dependecies. So, the 
fact that it doesn't report anything for all these packages that should mean they're okay 
to remove, right?

Well, I guess there is another dependency tool: emerge --depclean. But this seems 
completely whack: it finds 58 packages to delete. A number of these are java libraries 
(commons-logging, jdepend, etc.) that I may not need (but may want at some point), but 
also includes ant, which I would think most java apps would need. It also says I don't 
need ncompress, but equery depends said that tar needs ncompress! It would suck to break 
tar. And it also says I don't need glib!!!! So, in short, emerge --depclean seems as 
dangerous as they say... and therefore basically useless in my opinion.

Anyway, sorry this is so long... any thoughts and ideas on how to keep your system clean 
are welcome.

b
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] glsa-check and unused packages

[Owen Ford]

On Sat, 2005-09-10 at 11:49 -0700, Ben Munat wrote:
> First, glsa-check claims that I'm vulnerable to 200412-02 and 200505-01. The first is 
> pdflib and the second is various horde packages. However, I have the current versions of 
> these installed -- the versions that the glsa says I need to solve the vulnerability. So, 
> why would glsa-check say I'm vulnerable when I'm not?

There are probably versions of those packages slotted.  I use emerge -Cp
package to see which are installed.

-- 
Owen Ford <oford@arghblech.com>
()  The ASCII Ribbon Campaign - against HTML Email
/\   and proprietary formats.
 

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] glsa-check and unused packages

[Ben Munat]

Owen Ford wrote:
> On Sat, 2005-09-10 at 11:49 -0700, Ben Munat wrote:
> 
>>First, glsa-check claims that I'm vulnerable to 200412-02 and 200505-01. The first is 
>>pdflib and the second is various horde packages. However, I have the current versions of 
>>these installed -- the versions that the glsa says I need to solve the vulnerability. So, 
>>why would glsa-check say I'm vulnerable when I'm not?
> 
> 
> There are probably versions of those packages slotted.  I use emerge -Cp
> package to see which are installed.
> 

Very good... exactly the problem. Thanks.

As for dealing with all my orphaned packages, I'm figuring on going through the output of 
"emerge --depclean" and unmerging everything that comes up with no dependencies under 
"equery depends" and is something that I don't think I'll use. Does that sound reasonable?

Oh, and I'm assuming that "equery depends" just checks for installed packages that depend 
on the given package... anyone know any way to check a package's dependency against the 
entire portage tree?

b
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] glsa-check and unused packages

[W.Kenworthy]

use "glsa-check -f package" on each offender first.  It will safely
remove the bad packages. 

Due to its history of breaking systems, depclean should be left until
absolutely necessary.

BillK
 
On Sat, 2005-09-10 at 15:35 -0700, Ben Munat wrote:
> Owen Ford wrote:
> > On Sat, 2005-09-10 at 11:49 -0700, Ben Munat wrote:
> > 
> >>First, glsa-check claims that I'm vulnerable to 200412-02 and 200505-01. The first is 
> >>pdflib and the second is various horde packages. However, I have the current versions of 
> >>these installed -- the versions that the glsa says I need to solve the vulnerability. So, 
> >>why would glsa-check say I'm vulnerable when I'm not?
> > 
> > 
> > There are probably versions of those packages slotted.  I use emerge -Cp
> > package to see which are installed.
> > 
> 
> Very good... exactly the problem. Thanks.
> 
> As for dealing with all my orphaned packages, I'm figuring on going through the output of 
> "emerge --depclean" and unmerging everything that comes up with no dependencies under 
> "equery depends" and is something that I don't think I'll use. Does that sound reasonable?
> 
> Oh, and I'm assuming that "equery depends" just checks for installed packages that depend 
> on the given package... anyone know any way to check a package's dependency against the 
> entire portage tree?
> 
> b
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] glsa-check and unused packages

[Sam Halicke]

On Sep 10, 2005, at 4:37 PM, W.Kenworthy wrote:

> use "glsa-check -f package" on each offender first.  It will safely
> remove the bad packages.
>
> Due to its history of breaking systems, depclean should be left until
> absolutely necessary.
>
> BillK
>
> On Sat, 2005-09-10 at 15:35 -0700, Ben Munat wrote:
>
>> Owen Ford wrote:
>>
>>> On Sat, 2005-09-10 at 11:49 -0700, Ben Munat wrote:
>>>
>>>
>>>> First, glsa-check claims that I'm vulnerable to 200412-02 and  
>>>> 200505-01. The first is
>>>> pdflib and the second is various horde packages. However, I have  
>>>> the current versions of
>>>> these installed -- the versions that the glsa says I need to  
>>>> solve the vulnerability. So,
>>>> why would glsa-check say I'm vulnerable when I'm not?
>>>>
>>>
>>>
>>> There are probably versions of those packages slotted.  I use  
>>> emerge -Cp
>>> package to see which are installed.
>>>
>>>
>>
>> Very good... exactly the problem. Thanks.
>>
>> As for dealing with all my orphaned packages, I'm figuring on  
>> going through the output of
>> "emerge --depclean" and unmerging everything that comes up with no  
>> dependencies under
>> "equery depends" and is something that I don't think I'll use.  
>> Does that sound reasonable?
>>
>> Oh, and I'm assuming that "equery depends" just checks for  
>> installed packages that depend
>> on the given package... anyone know any way to check a package's  
>> dependency against the
>> entire portage tree?
>>
>> b
>>
> -- 
> gentoo-server@gentoo.org mailing list
>
>

Absolutely agreed with BillK. As I said in my first mail, I have had  
BAD experiences with --depclean. His solution is best. However, glsa- 
check --fix is not the most trustworthy of solutions. On a production  
system always check the ChangeLog and use your own best judgment.

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] glsa-check and unused packages

[A. Khattri]

On Sat, 10 Sep 2005, Owen Ford wrote:

> On Sat, 2005-09-10 at 11:49 -0700, Ben Munat wrote:
> > First, glsa-check claims that I'm vulnerable to 200412-02 and 200505-01. The first is
> > pdflib and the second is various horde packages. However, I have the current versions of
> > these installed -- the versions that the glsa says I need to solve the vulnerability. So,
> > why would glsa-check say I'm vulnerable when I'm not?
>
> There are probably versions of those packages slotted.  I use emerge -Cp
> package to see which are installed.

I have a similar problem - the recent changes in Apache coupled with some
updates meant rebuilding mod_php, mod_ssl and apache. glsa-check says Im
still vulnerable despite the updates. I dont have any slotting going on
either so Im still scratching my head.


-- 

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] glsa-check and unused packages

[W.Kenworthy]

Try etcat -v, query l and qpkg -l: each seems to work via a different
aspect of portage and I have found, particularly on older systems that
one or more, but not always all will show discrepancies.  I found equery
the least reliable when things are not right.  Surprisingly, glsa-check
seems to to always (that I can remember) pick up that the bad version
does exist and is installed - believe it!

Billk

On Wed, 2005-09-21 at 01:20 -0400, A. Khattri wrote:
> On Sat, 10 Sep 2005, Owen Ford wrote:
> 
> > On Sat, 2005-09-10 at 11:49 -0700, Ben Munat wrote:
> > > First, glsa-check claims that I'm vulnerable to 200412-02 and 200505-01. The first is
> > > pdflib and the second is various horde packages. However, I have the current versions of
> > > these installed -- the versions that the glsa says I need to solve the vulnerability. So,
> > > why would glsa-check say I'm vulnerable when I'm not?
> >
> > There are probably versions of those packages slotted.  I use emerge -Cp
> > package to see which are installed.
> 
> I have a similar problem - the recent changes in Apache coupled with some
> updates meant rebuilding mod_php, mod_ssl and apache. glsa-check says Im
> still vulnerable despite the updates. I dont have any slotting going on
> either so Im still scratching my head.
> 
> 
> -- 
> 
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] glsa-check and unused packages

[Pierre Cassimans]

do a

glsa-check -f 200412-02
glsa-check -f 200505-01

and the false errors will be gone.

Pierre

>From: "W.Kenworthy" <billk@iinet.net.au>
>Reply-To: gentoo-server@lists.gentoo.org
>To: gentoo-server@lists.gentoo.org
>Subject: Re: [gentoo-server] glsa-check and unused packages
>Date: Wed, 21 Sep 2005 14:26:01 +0800
>
>Try etcat -v, query l and qpkg -l: each seems to work via a different
>aspect of portage and I have found, particularly on older systems that
>one or more, but not always all will show discrepancies.  I found equery
>the least reliable when things are not right.  Surprisingly, glsa-check
>seems to to always (that I can remember) pick up that the bad version
>does exist and is installed - believe it!
>
>Billk
>
>On Wed, 2005-09-21 at 01:20 -0400, A. Khattri wrote:
> > On Sat, 10 Sep 2005, Owen Ford wrote:
> >
> > > On Sat, 2005-09-10 at 11:49 -0700, Ben Munat wrote:
> > > > First, glsa-check claims that I'm vulnerable to 200412-02 and 
>200505-01. The first is
> > > > pdflib and the second is various horde packages. However, I have the 
>current versions of
> > > > these installed -- the versions that the glsa says I need to solve 
>the vulnerability. So,
> > > > why would glsa-check say I'm vulnerable when I'm not?
> > >
> > > There are probably versions of those packages slotted.  I use emerge 
>-Cp
> > > package to see which are installed.
> >
> > I have a similar problem - the recent changes in Apache coupled with 
>some
> > updates meant rebuilding mod_php, mod_ssl and apache. glsa-check says Im
> > still vulnerable despite the updates. I dont have any slotting going on
> > either so Im still scratching my head.
> >
> >
> > --
> >
>--
>gentoo-server@gentoo.org mailing list
>


-- 
gentoo-server@gentoo.org mailing list

RE: [gentoo-server] glsa-check and unused packages

[Christopher Schwerdt]

> As for dealing with all my orphaned packages, I'm figuring on  
> going through the output of
> "emerge --depclean" and unmerging everything that comes up 
> with no dependencies under
> "equery depends" and is something that I don't think I'll use.  
> Does that sound reasonable?

Give unclepine a try (unclepine -u).
http://forums.gentoo.org/viewtopic.php?t=260866

-- 
gentoo-server@gentoo.org mailing list