* Re: [gentoo-server] A few questions about portage
2005-09-12 17:52 [gentoo-server] A few questions about portage Ian P. Christian
@ 2005-09-12 19:52 ` Matthew Lange
2005-09-15 7:45 ` z3rosix
2005-09-13 3:51 ` Ben Munat
` (2 subsequent siblings)
3 siblings, 1 reply; 12+ messages in thread
From: Matthew Lange @ 2005-09-12 19:52 UTC (permalink / raw
To: gentoo-server
I have the following as an emerge.sh script in my croon.daily directory.
I used to have a lock file to prevent multiple copies from running, but
I now use fcron, which has this feature built-in. By default, all
output gets mailed to root, which I have aliased to me.
---snip---
emerge sync 2>&1 > /dev/null
echo 'emerge system:'
emerge -pv --nocolor system
echo 'emerge world:'
emerge -pv --nocolor world
/usr/bin/revdep-rebuild --pretend --quiet --nocolor
---snip---
Unfortunately, ANSI color is hard-coded into the utilities, so I get a
few control-characters in the output...but it works OK.
I have a better one I wrote, but I'll need to find it...I'll post it later.
Matt
Ian P. Christian wrote:
> I've recently been spending some time getting to know a little more about
> portage, and I've run into a few issues.
>
> $ emerge --update --deep --newuse world
>
> It's reasonably well known that the above doesn't update all packages
> installed on a system - I think it only updates packages that are in the
> world file. Recently, this issue has left a server of mine with a insecure
> version of apache (apache was installed due to a dependency caused by PHP, or
> some application I installed that pulled in php, which in turn pulled in
> apache.).
> The man page does cover this, but it's by no means made obvious - and I think
> this is rather a large issue, as a log of users of gentoo probably don't know
> this.
>
> From the manual:
>
> "When you install a package with uninstalled dependencies and do not
> explicitly state those dependencies in the list of parameters, they will not
> be added to the world file. If you want them to be detected for world
> updates, make sure to explicitly list them as parameters to emerge."
>
> It should have a big WARNING or something next to it IMO.
>
> emerge --depclean will point out what isn't in your world file for you, so you
> can go ahead and add things to the world file manually. Having done this,
> when you uninstall whatever it was that dragged that dependency in in the
> first place, you will get unneeed packages on the system.
>
> Lets say for examples sake I install mail-client/squirrelmail. This will pull
> in PHP, which will pull in apache. In this case, -uD will not update apache
> should a new version appear. An emerge --depclean will show apache as being
> removable- so apache will need manually adding to the world file. Now, when
> I uninstall squirrrelmail, apache is no longer needed, but depclean won't
> show that, because I was forced to add it to the world file. In a lot of
> situations, the package might be a lot more obscure, perhaps some odd
> libraries which now are in the world file, and will stay there, because
> unless I manually look though the world file, and run an 'equery depends' on
> each one, I won't notice they are no longer needed.
>
> So it seems that I either suffer packages not being updated, or am forced into
> adding things into the world file and then face the problem that dependencies
> will not be removable by depclean.
>
> Also, I don't understand why emerge --depclean will show a package, which upon
> doing an 'equery depends' on that package will show that actaully that
> package is needed. Why do these tools contradict each other? Surly depclean
> should have the logic that equery uses to see when a dependency really is
> needed?
>
> glsa-check goes some way to solving the problem, it does check to see if there
> are outdated packages that have been effected by security issues - but it
> doens't update libraries that were installed but aren't in the world file.
>
> Is there a script that's been developed to be cronned to email the sys admin a
> report saying what packages need updating? I noticed that in the last month
> on this list there has been some useful information about running glsa-check
> and rsynicng just part of the portage tree. This kind of thing is intregal to
> running a server, and if no such script exists in the portage tree, I will
> attempt to write one.
>
> Kind Regards,
>
--
gentoo-server@gentoo.org mailing list
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [gentoo-server] A few questions about portage
2005-09-12 19:52 ` Matthew Lange
@ 2005-09-15 7:45 ` z3rosix
2005-09-15 15:06 ` Ian P. Christian
2005-09-15 15:59 ` Ben Munat
0 siblings, 2 replies; 12+ messages in thread
From: z3rosix @ 2005-09-15 7:45 UTC (permalink / raw
To: gentoo-server
Hello,
maybe i'm wrong but doens't "emerge -pv world" include "emerge -pv
system" ???
so you just need to "emerge world"
and bye the way you can use "emerge --sync -q" so you got only erros
emailed.
greetz
alex
On Mon, Sep 12, 2005 at 02:52:16PM -0500, Matthew Lange wrote:
> I have the following as an emerge.sh script in my croon.daily directory.
> I used to have a lock file to prevent multiple copies from running, but
> I now use fcron, which has this feature built-in. By default, all
> output gets mailed to root, which I have aliased to me.
>
> ---snip---
> emerge sync 2>&1 > /dev/null
> echo 'emerge system:'
> emerge -pv --nocolor system
> echo 'emerge world:'
> emerge -pv --nocolor world
> /usr/bin/revdep-rebuild --pretend --quiet --nocolor
> ---snip---
>
> Unfortunately, ANSI color is hard-coded into the utilities, so I get a
> few control-characters in the output...but it works OK.
>
> I have a better one I wrote, but I'll need to find it...I'll post it later.
>
> Matt
>
>
>
> Ian P. Christian wrote:
> > I've recently been spending some time getting to know a little more about
> > portage, and I've run into a few issues.
> >
> > $ emerge --update --deep --newuse world
> >
> > It's reasonably well known that the above doesn't update all packages
> > installed on a system - I think it only updates packages that are in the
> > world file. Recently, this issue has left a server of mine with a insecure
> > version of apache (apache was installed due to a dependency caused by PHP, or
> > some application I installed that pulled in php, which in turn pulled in
> > apache.).
> > The man page does cover this, but it's by no means made obvious - and I think
> > this is rather a large issue, as a log of users of gentoo probably don't know
> > this.
> >
> > From the manual:
> >
> > "When you install a package with uninstalled dependencies and do not
> > explicitly state those dependencies in the list of parameters, they will not
> > be added to the world file. If you want them to be detected for world
> > updates, make sure to explicitly list them as parameters to emerge."
> >
> > It should have a big WARNING or something next to it IMO.
> >
> > emerge --depclean will point out what isn't in your world file for you, so you
> > can go ahead and add things to the world file manually. Having done this,
> > when you uninstall whatever it was that dragged that dependency in in the
> > first place, you will get unneeed packages on the system.
> >
> > Lets say for examples sake I install mail-client/squirrelmail. This will pull
> > in PHP, which will pull in apache. In this case, -uD will not update apache
> > should a new version appear. An emerge --depclean will show apache as being
> > removable- so apache will need manually adding to the world file. Now, when
> > I uninstall squirrrelmail, apache is no longer needed, but depclean won't
> > show that, because I was forced to add it to the world file. In a lot of
> > situations, the package might be a lot more obscure, perhaps some odd
> > libraries which now are in the world file, and will stay there, because
> > unless I manually look though the world file, and run an 'equery depends' on
> > each one, I won't notice they are no longer needed.
> >
> > So it seems that I either suffer packages not being updated, or am forced into
> > adding things into the world file and then face the problem that dependencies
> > will not be removable by depclean.
> >
> > Also, I don't understand why emerge --depclean will show a package, which upon
> > doing an 'equery depends' on that package will show that actaully that
> > package is needed. Why do these tools contradict each other? Surly depclean
> > should have the logic that equery uses to see when a dependency really is
> > needed?
> >
> > glsa-check goes some way to solving the problem, it does check to see if there
> > are outdated packages that have been effected by security issues - but it
> > doens't update libraries that were installed but aren't in the world file.
> >
> > Is there a script that's been developed to be cronned to email the sys admin a
> > report saying what packages need updating? I noticed that in the last month
> > on this list there has been some useful information about running glsa-check
> > and rsynicng just part of the portage tree. This kind of thing is intregal to
> > running a server, and if no such script exists in the portage tree, I will
> > attempt to write one.
> >
> > Kind Regards,
> >
> --
> gentoo-server@gentoo.org mailing list
--
gentoo-server@gentoo.org mailing list
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-server] A few questions about portage
2005-09-15 7:45 ` z3rosix
@ 2005-09-15 15:06 ` Ian P. Christian
2005-09-15 15:49 ` Matthew Lange
2005-09-15 16:12 ` z3rosix
2005-09-15 15:59 ` Ben Munat
1 sibling, 2 replies; 12+ messages in thread
From: Ian P. Christian @ 2005-09-15 15:06 UTC (permalink / raw
To: gentoo-server; +Cc: z3rosix
[-- Attachment #1: Type: text/plain, Size: 512 bytes --]
On Thursday 15 September 2005 08:45, z3rosix@my-mail.ch wrote:
> maybe i'm wrong but doens't "emerge -pv world" include "emerge -pv
> system" ???
> so you just need to "emerge world"
> and bye the way you can use "emerge --sync -q" so you got only erros
> emailed.
I was curious as to why that was done too. Eitherway, doing an emerge world
will still leave out of date, possibly insecure packages on the system, so I
wouldn't advise relying on that.
--
Ian P. Christian ~ http://pookey.co.uk
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-server] A few questions about portage
2005-09-15 15:06 ` Ian P. Christian
@ 2005-09-15 15:49 ` Matthew Lange
2005-09-15 16:11 ` Ian P. Christian
2005-09-15 16:12 ` z3rosix
1 sibling, 1 reply; 12+ messages in thread
From: Matthew Lange @ 2005-09-15 15:49 UTC (permalink / raw
To: gentoo-server
I originally did that to see the difference between 'emerge system' and
'emerge world', since system packages are supposed to only be the ones
necessary for the operation of the system.
I have a lot of boxes that I manage, so I can't always afford the
compile time/downtime on all of them, so I mostly just 'emerge system'
on those boxes.
Then I look at the 'emerge world' output to see if I really need to
update the boxes with those packages, since they are mostly version
bumps and may not be as critical.
Matt
Ian P. Christian wrote:
> On Thursday 15 September 2005 08:45, z3rosix@my-mail.ch wrote:
>
>>maybe i'm wrong but doens't "emerge -pv world" include "emerge -pv
>>system" ???
>>so you just need to "emerge world"
>>and bye the way you can use "emerge --sync -q" so you got only erros
>>emailed.
>
>
> I was curious as to why that was done too. Eitherway, doing an emerge world
> will still leave out of date, possibly insecure packages on the system, so I
> wouldn't advise relying on that.
>
--
gentoo-server@gentoo.org mailing list
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-server] A few questions about portage
2005-09-15 15:06 ` Ian P. Christian
2005-09-15 15:49 ` Matthew Lange
@ 2005-09-15 16:12 ` z3rosix
1 sibling, 0 replies; 12+ messages in thread
From: z3rosix @ 2005-09-15 16:12 UTC (permalink / raw
To: gentoo-server
On Thu, Sep 15, 2005 at 04:06:24PM +0100, Ian P. Christian wrote:
> On Thursday 15 September 2005 08:45, z3rosix@my-mail.ch wrote:
> > maybe i'm wrong but doens't "emerge -pv world" include "emerge -pv
> > system" ???
> > so you just need to "emerge world"
> > and bye the way you can use "emerge --sync -q" so you got only erros
> > emailed.
>
> I was curious as to why that was done too. Eitherway, doing an emerge world
> will still leave out of date, possibly insecure packages on the system, so I
> wouldn't advise relying on that.
>
> --
> Ian P. Christian ~ http://pookey.co.uk
yes but these packages can you get with "glsa-check -t all".
I have an server with gentoo and run every day "emerge --sync -q" and
"glsa-check -t all", also i think about "revdep-rebuild -pq"
I'm sure that i don't get all packages which need to update, but if one of them has an seucirty issue i will get it, and this is enough for me ;_)
greetz
alex
--
gentoo-server@gentoo.org mailing list
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-server] A few questions about portage
2005-09-15 7:45 ` z3rosix
2005-09-15 15:06 ` Ian P. Christian
@ 2005-09-15 15:59 ` Ben Munat
1 sibling, 0 replies; 12+ messages in thread
From: Ben Munat @ 2005-09-15 15:59 UTC (permalink / raw
To: gentoo-server
Yes, but it's possible to have packages on your machine that aren't in system or world.
And you can also have packages on machine that aren't even dependecies of packages in
system or world. This surprised me. But, I suppose it's bound to happen as packages mature
and old dependencies go away.
b
z3rosix@my-mail.ch wrote:
> Hello,
>
> maybe i'm wrong but doens't "emerge -pv world" include "emerge -pv
> system" ???
> so you just need to "emerge world"
> and bye the way you can use "emerge --sync -q" so you got only erros
> emailed.
>
>
> greetz
>
> alex
>
> On Mon, Sep 12, 2005 at 02:52:16PM -0500, Matthew Lange wrote:
>
>>I have the following as an emerge.sh script in my croon.daily directory.
>> I used to have a lock file to prevent multiple copies from running, but
>>I now use fcron, which has this feature built-in. By default, all
>>output gets mailed to root, which I have aliased to me.
>>
>>---snip---
>> emerge sync 2>&1 > /dev/null
>> echo 'emerge system:'
>> emerge -pv --nocolor system
>> echo 'emerge world:'
>> emerge -pv --nocolor world
>> /usr/bin/revdep-rebuild --pretend --quiet --nocolor
>>---snip---
>>
>>Unfortunately, ANSI color is hard-coded into the utilities, so I get a
>>few control-characters in the output...but it works OK.
>>
>>I have a better one I wrote, but I'll need to find it...I'll post it later.
>>
>>Matt
>>
>>
>>
>>Ian P. Christian wrote:
>>
>>>I've recently been spending some time getting to know a little more about
>>>portage, and I've run into a few issues.
>>>
>>>$ emerge --update --deep --newuse world
>>>
>>>It's reasonably well known that the above doesn't update all packages
>>>installed on a system - I think it only updates packages that are in the
>>>world file. Recently, this issue has left a server of mine with a insecure
>>>version of apache (apache was installed due to a dependency caused by PHP, or
>>>some application I installed that pulled in php, which in turn pulled in
>>>apache.).
>>>The man page does cover this, but it's by no means made obvious - and I think
>>>this is rather a large issue, as a log of users of gentoo probably don't know
>>>this.
>>>
>>>From the manual:
>>>
>>> "When you install a package with uninstalled dependencies and do not
>>>explicitly state those dependencies in the list of parameters, they will not
>>>be added to the world file. If you want them to be detected for world
>>>updates, make sure to explicitly list them as parameters to emerge."
>>>
>>>It should have a big WARNING or something next to it IMO.
>>>
>>>emerge --depclean will point out what isn't in your world file for you, so you
>>>can go ahead and add things to the world file manually. Having done this,
>>>when you uninstall whatever it was that dragged that dependency in in the
>>>first place, you will get unneeed packages on the system.
>>>
>>>Lets say for examples sake I install mail-client/squirrelmail. This will pull
>>>in PHP, which will pull in apache. In this case, -uD will not update apache
>>>should a new version appear. An emerge --depclean will show apache as being
>>>removable- so apache will need manually adding to the world file. Now, when
>>>I uninstall squirrrelmail, apache is no longer needed, but depclean won't
>>>show that, because I was forced to add it to the world file. In a lot of
>>>situations, the package might be a lot more obscure, perhaps some odd
>>>libraries which now are in the world file, and will stay there, because
>>>unless I manually look though the world file, and run an 'equery depends' on
>>>each one, I won't notice they are no longer needed.
>>>
>>>So it seems that I either suffer packages not being updated, or am forced into
>>>adding things into the world file and then face the problem that dependencies
>>>will not be removable by depclean.
>>>
>>>Also, I don't understand why emerge --depclean will show a package, which upon
>>>doing an 'equery depends' on that package will show that actaully that
>>>package is needed. Why do these tools contradict each other? Surly depclean
>>>should have the logic that equery uses to see when a dependency really is
>>>needed?
>>>
>>>glsa-check goes some way to solving the problem, it does check to see if there
>>>are outdated packages that have been effected by security issues - but it
>>>doens't update libraries that were installed but aren't in the world file.
>>>
>>>Is there a script that's been developed to be cronned to email the sys admin a
>>>report saying what packages need updating? I noticed that in the last month
>>>on this list there has been some useful information about running glsa-check
>>>and rsynicng just part of the portage tree. This kind of thing is intregal to
>>>running a server, and if no such script exists in the portage tree, I will
>>>attempt to write one.
>>>
>>>Kind Regards,
>>>
>>
>>--
>>gentoo-server@gentoo.org mailing list
--
gentoo-server@gentoo.org mailing list
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-server] A few questions about portage
2005-09-12 17:52 [gentoo-server] A few questions about portage Ian P. Christian
2005-09-12 19:52 ` Matthew Lange
@ 2005-09-13 3:51 ` Ben Munat
2005-09-23 22:00 ` Christian Ehlers
2005-09-28 14:05 ` Alex Efros
3 siblings, 0 replies; 12+ messages in thread
From: Ben Munat @ 2005-09-13 3:51 UTC (permalink / raw
To: gentoo-server
Ian,
I was just going on about a similar concern to yours and Chris Schwerdt replied just this
morning with this:
<snip>
Give unclepine a try (unclepine -u).
http://forums.gentoo.org/viewtopic.php?t=260866
</snip>
I tried it out and it seems to work pretty well. The author claims that equery depends
isn't very reliable. I tried unclepine with glib -- which "emerge --depclean" said it
wanted to remove, but "equery depends" said is depended on by a bunch of packages -- and
it says glib is not depended on by anything. Go figure.
I agree that there are definitely some rough spots in portage (though you should switch to
FreeBSD and see how much of a mess the Ports system is in comparison). I've been using
gentoo for a couple years and I just figured out the stuff about packages not getting
updated if it's not in the world file.
Oh, by the way emerge -uD world will update dependencies of everything in the world file,
even if there not in the world file themselves... it's the stuff that gets emerged and
then stops being a dependency of something else that's the problem. Although, I suppose
one could make the weak argument that, if a package is no longer a dependency of anything,
it's probably not going to be exercised. Still, it seems this would be pretty simple to
solve if there were an "emerge *", that checked every package on your machine for an update.
b
PS: just before I sent this I had a hunch and tried "equery depends glibc"... it has the
same output as "equery depends glib". So, that was just a lack of specificity on my
part... though equery really should squawk if a pkg is not specific enough (or not found).
If I try "equery depends dev-libs/glib" it comes back with no dependencies.
Ian P. Christian wrote:
> I've recently been spending some time getting to know a little more about
> portage, and I've run into a few issues.
>
> $ emerge --update --deep --newuse world
>
> It's reasonably well known that the above doesn't update all packages
> installed on a system - I think it only updates packages that are in the
> world file. Recently, this issue has left a server of mine with a insecure
> version of apache (apache was installed due to a dependency caused by PHP, or
> some application I installed that pulled in php, which in turn pulled in
> apache.).
> The man page does cover this, but it's by no means made obvious - and I think
> this is rather a large issue, as a log of users of gentoo probably don't know
> this.
>
> From the manual:
>
> "When you install a package with uninstalled dependencies and do not
> explicitly state those dependencies in the list of parameters, they will not
> be added to the world file. If you want them to be detected for world
> updates, make sure to explicitly list them as parameters to emerge."
>
> It should have a big WARNING or something next to it IMO.
>
> emerge --depclean will point out what isn't in your world file for you, so you
> can go ahead and add things to the world file manually. Having done this,
> when you uninstall whatever it was that dragged that dependency in in the
> first place, you will get unneeed packages on the system.
>
> Lets say for examples sake I install mail-client/squirrelmail. This will pull
> in PHP, which will pull in apache. In this case, -uD will not update apache
> should a new version appear. An emerge --depclean will show apache as being
> removable- so apache will need manually adding to the world file. Now, when
> I uninstall squirrrelmail, apache is no longer needed, but depclean won't
> show that, because I was forced to add it to the world file. In a lot of
> situations, the package might be a lot more obscure, perhaps some odd
> libraries which now are in the world file, and will stay there, because
> unless I manually look though the world file, and run an 'equery depends' on
> each one, I won't notice they are no longer needed.
>
> So it seems that I either suffer packages not being updated, or am forced into
> adding things into the world file and then face the problem that dependencies
> will not be removable by depclean.
>
> Also, I don't understand why emerge --depclean will show a package, which upon
> doing an 'equery depends' on that package will show that actaully that
> package is needed. Why do these tools contradict each other? Surly depclean
> should have the logic that equery uses to see when a dependency really is
> needed?
>
> glsa-check goes some way to solving the problem, it does check to see if there
> are outdated packages that have been effected by security issues - but it
> doens't update libraries that were installed but aren't in the world file.
>
> Is there a script that's been developed to be cronned to email the sys admin a
> report saying what packages need updating? I noticed that in the last month
> on this list there has been some useful information about running glsa-check
> and rsynicng just part of the portage tree. This kind of thing is intregal to
> running a server, and if no such script exists in the portage tree, I will
> attempt to write one.
>
> Kind Regards,
>
--
gentoo-server@gentoo.org mailing list
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-server] A few questions about portage
2005-09-12 17:52 [gentoo-server] A few questions about portage Ian P. Christian
2005-09-12 19:52 ` Matthew Lange
2005-09-13 3:51 ` Ben Munat
@ 2005-09-23 22:00 ` Christian Ehlers
2005-09-28 3:30 ` Marius Mauch
2005-09-28 14:05 ` Alex Efros
3 siblings, 1 reply; 12+ messages in thread
From: Christian Ehlers @ 2005-09-23 22:00 UTC (permalink / raw
To: gentoo-server
I am doing the following:
1. qpkg -I -nc |xargs emerge -u
2. revdep-rebuild
I am wondering if this is sufficient? Basically as far as I understand
it, 1. will check for updates on all packages installed, and 2. will
check if anything needs recompiling because a shared library has been
updated.
Anything else I need to do to make sure my system is up2date? Maybe I
missed something in the replies, but as far as I understood it
(admitting that English isn't my 1st or 2nd language) there was no real
solution posted yet?
Should I still do an emerge -u --deep world (+ --newuse if I change the
use variable?)
Regards,
Christian Ehlers
On Mon, 2005-09-12 at 18:52 +0100, Ian P. Christian wrote:
> I've recently been spending some time getting to know a little more about
> portage, and I've run into a few issues.
>
> $ emerge --update --deep --newuse world
>
> It's reasonably well known that the above doesn't update all packages
> installed on a system - I think it only updates packages that are in the
> world file. Recently, this issue has left a server of mine with a insecure
> version of apache (apache was installed due to a dependency caused by PHP, or
> some application I installed that pulled in php, which in turn pulled in
> apache.).
> The man page does cover this, but it's by no means made obvious - and I think
> this is rather a large issue, as a log of users of gentoo probably don't know
> this.
>
> From the manual:
>
> "When you install a package with uninstalled dependencies and do not
> explicitly state those dependencies in the list of parameters, they will not
> be added to the world file. If you want them to be detected for world
> updates, make sure to explicitly list them as parameters to emerge."
>
[.......]
> Kind Regards,
>
--
gentoo-server@gentoo.org mailing list
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-server] A few questions about portage
2005-09-23 22:00 ` Christian Ehlers
@ 2005-09-28 3:30 ` Marius Mauch
0 siblings, 0 replies; 12+ messages in thread
From: Marius Mauch @ 2005-09-28 3:30 UTC (permalink / raw
To: gentoo-server
Christian Ehlers wrote:
> I am doing the following:
>
> 1. qpkg -I -nc |xargs emerge -u
>
> 2. revdep-rebuild
>
> I am wondering if this is sufficient? Basically as far as I understand
> it, 1. will check for updates on all packages installed, and 2. will
> check if anything needs recompiling because a shared library has been
> updated.
>
> Anything else I need to do to make sure my system is up2date? Maybe I
> missed something in the replies, but as far as I understood it
> (admitting that English isn't my 1st or 2nd language) there was no real
> solution posted yet?
>
> Should I still do an emerge -u --deep world (+ --newuse if I change the
> use variable?)
First: don't use qpkg, it's dead and has several conceptual bugs
(causing for example wrong results for the command you use). New
gentoolkit versions already don't install it anymore (except for a copy
in the docs dir).
As for general update procedure, I'd recommend:
- glsa-check -l $(glsa-check -t new)
- Update those packages first (glsa-check -f new, might cause some
redundant updates though later due to a different update strategy)
- emerge -uavDN world
- emerge -p --depclean
- Check that list and either remove the packages or add them to the
world file
- revdep-rebuild || revdep-rebuild -X
This requires and ensures that your worldfile is always uptodate and
correct, thought you might have already corrupted it with your qpkg
trick (as in some versions -u added a package to world).
Marius
--
gentoo-server@gentoo.org mailing list
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [gentoo-server] A few questions about portage
2005-09-12 17:52 [gentoo-server] A few questions about portage Ian P. Christian
` (2 preceding siblings ...)
2005-09-23 22:00 ` Christian Ehlers
@ 2005-09-28 14:05 ` Alex Efros
3 siblings, 0 replies; 12+ messages in thread
From: Alex Efros @ 2005-09-28 14:05 UTC (permalink / raw
To: gentoo-server
[-- Attachment #1: Type: text/plain, Size: 3340 bytes --]
Hi!
On Mon, Sep 12, 2005 at 06:52:31PM +0100, Ian P. Christian wrote:
> The man page does cover this, but it's by no means made obvious - and I think
> this is rather a large issue, as a log of users of gentoo probably don't know
> this.
Yep. :( And there exists some things which probably (was?) not covered by
manuals - I've spend a lot of time reading forums to make clear how to
use portage in SAFE way. I've summarized this information and post in
forum, but, sorry, it's in russian - I've no time to translate it now.
It's available here: http://gentoo.ru/node/193 (if somebody wanna translate).
In short, to update system in __SAFE__ way:
1. Check /var/lib/portage/world:
- it shouldn't contain any libraries and software which YOU don't need
and which is just dependent by some other packages
- it shouldn't contain packages which are in 'system'
- is shouldn't contain packages with version/revision number
2. Check /etc/portage/* files because they can contain non-actual things
which prevent you upgrade in right way now.
3. Rarely, but profile update may be needed (usually when old profile
become deprecated or when switching to hardened, etc.).
4. USE flags for some packages may be changed. To detect this, run
emerge -uDNpv world
and review flags for all critical (for you) packages.
5. If none from toolchain (linux-headers, glibc, binutils, gcc) packages
wanna upgrade then just run
emerge -uDNav world
else things become more complicated because for a number of reasons
it's good idea to recompile all system in this way:
# clean $pkgdir in some way to optimize compilation speed by
# building/using binary packages:
pkgdir=$(portageq pkgdir)
mv $pkgdir /tmp/portage-packages
install -d -o portage -g portage $pkgdir
# compile toolchain: first pass
emerge linux-headers glibc binutils gcc-config gcc
# select new gcc if it was installed in new SLOT
gcc-config ...
source /etc/profile
# compile toolchain: second pass + make binary packages
emerge -b glibc binutils gcc portage
# recompile system (toolchain used from binary packages to save time)
emerge -bke system
# recompile world (system used from binary packages to save time)
emerge -ke world
6. Even after this there may exists not updated packages with security
holes (in SLOTs), so:
glsa-check -l | grep '\[N\]'
emerge ... # manually update needed packages
7. Remove unneeded dependencies:
emerge -a depclean
emerge -uDNav world # fix possible errors in depclean
8. After updating libraries there may be needed to recompile something:
rm /root/.revdep-rebuild*.?_*
revdep-rebuild
9. Update config files:
dispatch-conf
10. While updating package some ebuilds print important information
(which is lost which batch update, of course). To review this
information you need `enotice` or `portlog-info` tools.
11. ... Joke! That's all, folks! :-))
Of course, not all these steps needed every day, but ... Anyway, without
manual actions and a lot of attention it's impossible to update system
in safe way. This isn't Gentoo problem, of course, same issues exists in
other distributions, but they are mostly hidden and hit you when you
don't expect. :(
--
WBR, Alex.
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread