FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 10-11-2011, 07:56 PM
Michał Górny
 
Default Build dependencies and upgrades.

On Tue, 11 Oct 2011 12:36:15 -0700
Alec Warner <antarus@gentoo.org> wrote:

> On Tue, Oct 11, 2011 at 12:23 PM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
> > El 11/10/11 20:55, Markos Chandras escribió:
> >> On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote:
> >> > Hi,
> >>
> >> > Today I have found that build dependencies are left in the system
> >> > but won't be upgraded when running emerge -vauD1 world. This can
> >> > be inconvenient since security issues fixed in those left over
> >> > packages won't be applied properly. So, is there any reason for
> >> > this behaviour? Shouldn't build dependencies either be cleaned
> >> > with --depclean after building or be upgraded to avoid possible
> >> > issues?
> >>
> >> > Sorry if this gets in here twice, I used an incorrect account.
> >>
> >>
> >> Maybe you want the --with-bdeps parameter along with the -D one?.
> >> man emerge -> section Options -> parameter -D
> > That makes sense but then the problem is on the poor documentation
> > we have in the Internet.
> > http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=1
> > Here no mention to that option is made
> > Nor is in:
> > http://www.gentoo.org/doc/en/gentoo-upgrading.xml
> >
> > And in fact no mention to the option is made in the doc space at
> > all. I may also be wrong here but I don't recall finding it when I
> > started with portage and no notice was issued since then so either
> > I misunderstood it, kinda likely by then, or it was added later.
> > And the fact it wasn't commented at all in the documentation didn't
> > help.
> >
> > The question now is anybody thinks this shouldn't appear in the
> > handbook? If nobody has a problem I'll prepare a patch.
> >
> > PS: howarang thanks for the point I found it really odd this was
> > missing.
> >
> >
>
> FYI: there are a truckload of options that are available in portage
> but are not documented in the handbook. I'm not really sure
> replicating the portage manpages in the handbook is necessarily a good
> way to move forward. Ideally we would direct users to just read the
> manpages.

Or go with a saner defaults...

--
Best regards,
Michał Górny
 
Old 10-11-2011, 08:07 PM
"Francisco Blas Izquierdo Riera (klondike)"
 
Default Build dependencies and upgrades.

El 11/10/11 21:36, Alec Warner escribi:
> On Tue, Oct 11, 2011 at 12:23 PM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
>> El 11/10/11 20:55, Markos Chandras escribi:
>>> On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote:
>>>> Hi,
>>>> Today I have found that build dependencies are left in the system
>>>> but won't be upgraded when running emerge -vauD1 world. This can be
>>>> inconvenient since security issues fixed in those left over
>>>> packages won't be applied properly. So, is there any reason for
>>>> this behaviour? Shouldn't build dependencies either be cleaned with
>>>> --depclean after building or be upgraded to avoid possible issues?
>>>> Sorry if this gets in here twice, I used an incorrect account.
>>>
>>> Maybe you want the --with-bdeps parameter along with the -D one?. man
>>> emerge -> section Options -> parameter -D
>> That makes sense but then the problem is on the poor documentation we
>> have in the Internet.
>> http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=1
>> Here no mention to that option is made
>> Nor is in:
>> http://www.gentoo.org/doc/en/gentoo-upgrading.xml
>>
>> And in fact no mention to the option is made in the doc space at all. I
>> may also be wrong here but I don't recall finding it when I started with
>> portage and no notice was issued since then so either I misunderstood
>> it, kinda likely by then, or it was added later. And the fact it wasn't
>> commented at all in the documentation didn't help.
>>
>> The question now is anybody thinks this shouldn't appear in the
>> handbook? If nobody has a problem I'll prepare a patch.
>>
>> PS: howarang thanks for the point I found it really odd this was missing.
>>
>>
> FYI: there are a truckload of options that are available in portage
> but are not documented in the handbook. I'm not really sure
> replicating the portage manpages in the handbook is necessarily a good
> way to move forward. Ideally we would direct users to just read the
> manpages.
Antarus, an user who has read the whole installation handbook and is new
to the distro should by then have a lot of new ideas in mind to direct
them to man pages written in a more technical way creating even more
confusion. Add to to that any search on how to update / upgrade Gentoo
and you will find the same set of commands almost always:
$ emerge -u world
$ emerge -uD world
With no references to other parameters at all. Which can make users
assume that it is a safe default. If you look in the docs I provided
you'll see it is the case.
 
Old 10-11-2011, 08:08 PM
"Francisco Blas Izquierdo Riera (klondike)"
 
Default Build dependencies and upgrades.

El 11/10/11 21:36, Alec Warner escribi:
> On Tue, Oct 11, 2011 at 12:23 PM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
>> El 11/10/11 20:55, Markos Chandras escribi:
>>> On 10/11/11 19:50, Francisco Blas Izquierdo Riera (klondike) wrote:
>>>> Hi,
>>>> Today I have found that build dependencies are left in the system
>>>> but won't be upgraded when running emerge -vauD1 world. This can be
>>>> inconvenient since security issues fixed in those left over
>>>> packages won't be applied properly. So, is there any reason for
>>>> this behaviour? Shouldn't build dependencies either be cleaned with
>>>> --depclean after building or be upgraded to avoid possible issues?
>>>> Sorry if this gets in here twice, I used an incorrect account.
>>>
>>> Maybe you want the --with-bdeps parameter along with the -D one?. man
>>> emerge -> section Options -> parameter -D
>> That makes sense but then the problem is on the poor documentation we
>> have in the Internet.
>> http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=1
>> Here no mention to that option is made
>> Nor is in:
>> http://www.gentoo.org/doc/en/gentoo-upgrading.xml
>>
>> And in fact no mention to the option is made in the doc space at all. I
>> may also be wrong here but I don't recall finding it when I started with
>> portage and no notice was issued since then so either I misunderstood
>> it, kinda likely by then, or it was added later. And the fact it wasn't
>> commented at all in the documentation didn't help.
>>
>> The question now is anybody thinks this shouldn't appear in the
>> handbook? If nobody has a problem I'll prepare a patch.
>>
>> PS: howarang thanks for the point I found it really odd this was missing.
>>
>>
> FYI: there are a truckload of options that are available in portage
> but are not documented in the handbook. I'm not really sure
> replicating the portage manpages in the handbook is necessarily a good
> way to move forward. Ideally we would direct users to just read the
> manpages.
Antarus, an user who has read the whole installation handbook and is new
to the distro should by then have a lot of new ideas in mind to direct
them to man pages written in a more technical way creating even more
confusion. Add to to that any search on how to update / upgrade Gentoo
and you will find the same set of commands almost always:
$ emerge -u world
$ emerge -uD world
With no references to other parameters at all. Which can make users
assume that it is a safe default. If you look in the docs I provided
you'll see it is the case.
 
Old 10-11-2011, 09:04 PM
Mike Gilbert
 
Default Build dependencies and upgrades.

On Tue, Oct 11, 2011 at 2:50 PM, Francisco Blas Izquierdo Riera
(klondike) <klondike@gentoo.org> wrote:
> So, is there any reason for this behaviour? Shouldn't build dependencies
> either be cleaned with --depclean after building or be upgraded to avoid
> possible issues?
>

I agree: with-bdeps should either default to y or n across the board.

I understand the idea behind turning it on for depclean to reduce the
amount uninstalls/re-installs, but I think that really just introduces
more confusion than the time savings is worth.
 
Old 10-11-2011, 11:27 PM
Duncan
 
Default Build dependencies and upgrades.

Mike Gilbert posted on Tue, 11 Oct 2011 17:04:02 -0400 as excerpted:

> On Tue, Oct 11, 2011 at 2:50 PM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
>> So, is there any reason for this behaviour? Shouldn't build
>> dependencies either be cleaned with --depclean after building or be
>> upgraded to avoid possible issues?
>>
>>
> I agree: with-bdeps should either default to y or n across the board.
>
> I understand the idea behind turning it on for depclean to reduce the
> amount uninstalls/re-installs, but I think that really just introduces
> more confusion than the time savings is worth.

FWIW, --with-bdeps is a relatively new portage option. AFAIK it was
added during the period when the docs team was pretty much just a single
person, who was getting further and further behind and was understandably
burnt out, but being the only person available, he remained at his post
tho I'm sure he would have MUCH rather done something else.

That's probably why there's no mention in the docs other than the portage
manpage. Now that we have swift back, he's applying some much needed
attention to the docs tree and its coming back into shape. =:^)

So yes, I'd suggest a handbook update is in order. Well, either that, or
arguably, a tweak of the portage defaults. But of course Zac's the guy
who knows most about that, and why the defaults are what they are, so
he's the one that needs to answer on that angle.

Meanwhile, thanks for bringing it up, klondike. =:^)

--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
 
Old 10-12-2011, 03:13 AM
Zac Medico
 
Default Build dependencies and upgrades.

On 10/11/2011 11:50 AM, Francisco Blas Izquierdo Riera (klondike) wrote:
> Hi,
>
> Today I have found that build dependencies are left in the system but
> won't be upgraded when running emerge -vauD1 world.
> This can be inconvenient since security issues fixed in those left over
> packages won't be applied properly.
> So, is there any reason for this behaviour?

1) It's a waste of time to build/update packages that won't be used for
anything. That's what --with-bdeps=y. If you plan to use these packages
for something, then you should add them to world or add --with-bdeps=y
to EMERGE_DEFAULT_OPTS so that they'll update automatically.

2) Aside from being a waste of resources, if we enabled --with-bdeps=y
by default for update actions then to would cause unwanted results for
people who use binary packages and don't expect the build-time deps to
get pulled in.

> Shouldn't build dependencies
> either be cleaned with --depclean after building

This is another waste of resources, since you'll have to install them
again the next time that you need them. However, you are free to use
--with-bdeps=n with --depclean if it suits you. One size does not fit
all, so that's why we have options.

> or be upgraded to avoid
> possible issues?

Again, if you plan to use these packages for something, then you should
add them to world or add --with-bdeps=y to EMERGE_DEFAULT_OPTS so that
they'll update automatically. Again, you've got choices and what suits
you doesn't necessarily suit everyone else.

Personally, I like to set EMERGE_DEFAULT_OPTS="--with-bdeps=y" because
like to know that all the build deps are at their latest versions in
case I decide to rebuild some random package.
--
Thanks,
Zac
 
Old 10-12-2011, 04:48 AM
Zac Medico
 
Default Build dependencies and upgrades.

On 10/11/2011 02:04 PM, Mike Gilbert wrote:
> On Tue, Oct 11, 2011 at 2:50 PM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
>> So, is there any reason for this behaviour? Shouldn't build dependencies
>> either be cleaned with --depclean after building or be upgraded to avoid
>> possible issues?
>>
>
> I agree: with-bdeps should either default to y or n across the board.
>
> I understand the idea behind turning it on for depclean to reduce the
> amount uninstalls/re-installs, but I think that really just introduces
> more confusion than the time savings is worth.

Changing defaults is also confusing. Changing defaults to values that
are the opposite of what most people want is even more confusing.

I think the existing defaults are fine. If people are confused by them,
then I think they just need some documentation to clarify the reasons
for the existing defaults.
--
Thanks,
Zac
 
Old 10-12-2011, 04:54 AM
Zac Medico
 
Default Build dependencies and upgrades.

On 10/11/2011 12:56 PM, Michał Górny wrote:
> Or go with a saner defaults...

So, are any of the following sane?

1) Pull in updates for packages even though those packages won't be used
for anything.

2) Pull in build-time dependencies for packages that are already built,
even though no portage version has ever done this before by default.

3) Make depclean remove build-time dependencies by default, only to have
the rebuilt/installed the next time that the system is updated.

--
Thanks,
Zac
 
Old 10-12-2011, 05:28 AM
Mike Gilbert
 
Default Build dependencies and upgrades.

On 10/12/2011 12:54 AM, Zac Medico wrote:
> On 10/11/2011 12:56 PM, Michał Górny wrote:
>> Or go with a saner defaults...
>
> So, are any of the following sane?
>
> 1) Pull in updates for packages even though those packages won't be used
> for anything.
>

Francisco raised a possibly valid point in his original message: though
packages may not be currently used for anything, but they could contain
un-patched security flaws.

This seems pretty unlikely to me given the sorts of packages that are
build-time-only deps, but it could be possible.
 
Old 10-12-2011, 05:47 AM
Zac Medico
 
Default Build dependencies and upgrades.

On 10/11/2011 10:28 PM, Mike Gilbert wrote:
> On 10/12/2011 12:54 AM, Zac Medico wrote:
>> On 10/11/2011 12:56 PM, Michał Górny wrote:
>>> Or go with a saner defaults...
>>
>> So, are any of the following sane?
>>
>> 1) Pull in updates for packages even though those packages won't be used
>> for anything.
>>
>
> Francisco raised a possibly valid point in his original message: though
> packages may not be currently used for anything, but they could contain
> un-patched security flaws.

If they contain something that's accessed at runtime, then they should
be in RDEPEND or PDEPEND, no exceptions.

> This seems pretty unlikely to me given the sorts of packages that are
> build-time-only deps, but it could be possible.

We can try to split up people who care about this into categories:

1) People who are "security conscious" or just plain paranoid can set
EMERGE_DEFAULT_OPTS="--with-bdeps=y" to ease their minds.

2) People who want all build-time deps up to date at all times, in case
they decide to rebuild something on a whim, can set
EMERGE_DEFAULT_OPTS="--with-bdeps=y" to keep everything up to date. This
is what I do.

3) People who think they might use a particular package and want to
ensure that it's the latest version can add that package to the world
file. They can look for possible candidates in the output of `emerge
--pretend --depclean --with-bdeps=n`.
--
Thanks,
Zac
 

Thread Tools




All times are GMT. The time now is 06:38 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org