81721 – glsa-check doesn't merge the latest version of a package (gentoolkit 0.2.0)

Bug 81721 - glsa-check doesn't merge the latest version of a package (gentoolkit 0.2.0)

Summary: glsa-check doesn't merge the latest version of a package (gentoolkit 0.2.0)

Status:	RESOLVED FIXED

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Tools (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Portage Tools Team

URL:
Whiteboard:
Keywords:	InVCS

Depends on:
Blocks:	170220
	Show dependency tree

Reported:	2005-02-12 04:51 UTC by Diederik van der Boor
Modified:	2007-07-27 21:39 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Diederik van der Boor 2005-02-12 04:51:59 UTC

I've noticed glsa-check doesn't try to merge the latest version of a package:
Take a look at the output snapshow below; glsa-check tries to merge "mit-krb5-1.3.6" but "mit-krb5-1.3.6-r1" is available in portage:

fixing 200501-05
>>> merging app-crypt/mit-krb5-1.3.6
Calculating dependencies
!!! All ebuilds that could satisfy "=app-crypt/mit-krb5-1.3.6" have been masked.
!!! One of the following masked packages is required to complete your request:
- app-crypt/mit-krb5-1.3.6 (masked by: ~x86 keyword)

For more information, see MASKED PACKAGES section in the emerge man page or
section 2.2 "Software Availability" in the Gentoo Handbook.

root@pts/1 root # etcat -v app-crypt/mit-krb5
[ Results for search key           : app-crypt/mit-krb5 ]
[ Candidate applications found : 10 ]

 Only printing found installed programs.

*  app-crypt/mit-krb5 :
        [   ] 1.3.1 (0)
        [   ] 1.3.1-r1 (0)
        [M~ ] 1.3.3 (0)
        [   ] 1.3.3-r1 (0)
        [   ] 1.3.4 (0)
        [   ] 1.3.4-r1 (0)
        [M~ ] 1.3.5 (0)
        [M I] 1.3.5-r1 (0)
        [M~ ] 1.3.6 (0)
        [   ] 1.3.6-r1 (0)


Reproducible: Always
Steps to Reproduce:

Comment 1 Marius Mauch (RETIRED) gentoo-dev

2005-02-12 08:36:31 UTC

That's intentional, glsa-check uses a least-change policy.

Comment 2 Wolfram Schlich (RETIRED) gentoo-dev

2007-03-30 11:26:20 UTC

Marius, please add a switch to glsa-check which enables us to install
the latest and greatest stable version of a package affected by a GLSA.

Maybe you can add a getMaxUpgrade function to /usr/lib/gentoolkit/pym/glsa.py
and add a switch called -g or --greatest?

Comment 3 Wolfram Schlich (RETIRED) gentoo-dev

2007-03-30 11:35:25 UTC

The workaround I am currently using is:

glsa-check -p affected | grep / | awk '{ print $1 }' | xargs -n 1 -i{} echo '>={}' | xargs emerge

But obviously, this sucks :-)

Comment 4 Joshua Hoblitt 2007-04-10 21:13:28 UTC

Well it's not exactly a least change policy either.  I have a system that glsa-check insistent on install python 2.3.5 on even though python 2.4 was already installed.  I believe that correct behavior would have been to do nothing in this case.

--
fixing 200610-07
>>> merging dev-lang/python-2.3.5-r3
Calculating dependencies... done!

>>> Emerging (1 of 1) dev-lang/python-2.3.5-r3 to /
--

Comment 5 Marius Mauch (RETIRED) gentoo-dev

2007-04-10 21:28:12 UTC

Well, I'd bet you also have another version of python-2.3 installed that is vulnerable and therefore has to be upgraded.

Comment 6 Marius Mauch (RETIRED) gentoo-dev

2007-05-30 17:22:28 UTC

r403 has a new --emergelike option to use a strategy similar to emerge when selecting upgrades.

Comment 7 Paul Varner (RETIRED) gentoo-dev

2007-07-27 21:39:40 UTC

Released in gentoolkit-0.2.4_pre6