I've noticed glsa-check doesn't try to merge the latest version of a package: Take a look at the output snapshow below; glsa-check tries to merge "mit-krb5-1.3.6" but "mit-krb5-1.3.6-r1" is available in portage: fixing 200501-05 >>> merging app-crypt/mit-krb5-1.3.6 Calculating dependencies !!! All ebuilds that could satisfy "=app-crypt/mit-krb5-1.3.6" have been masked. !!! One of the following masked packages is required to complete your request: - app-crypt/mit-krb5-1.3.6 (masked by: ~x86 keyword) For more information, see MASKED PACKAGES section in the emerge man page or section 2.2 "Software Availability" in the Gentoo Handbook. root@pts/1 root # etcat -v app-crypt/mit-krb5 [ Results for search key : app-crypt/mit-krb5 ] [ Candidate applications found : 10 ] Only printing found installed programs. * app-crypt/mit-krb5 : [ ] 1.3.1 (0) [ ] 1.3.1-r1 (0) [M~ ] 1.3.3 (0) [ ] 1.3.3-r1 (0) [ ] 1.3.4 (0) [ ] 1.3.4-r1 (0) [M~ ] 1.3.5 (0) [M I] 1.3.5-r1 (0) [M~ ] 1.3.6 (0) [ ] 1.3.6-r1 (0) Reproducible: Always Steps to Reproduce:
That's intentional, glsa-check uses a least-change policy.
Marius, please add a switch to glsa-check which enables us to install the latest and greatest stable version of a package affected by a GLSA. Maybe you can add a getMaxUpgrade function to /usr/lib/gentoolkit/pym/glsa.py and add a switch called -g or --greatest?
The workaround I am currently using is: glsa-check -p affected | grep / | awk '{ print $1 }' | xargs -n 1 -i{} echo '>={}' | xargs emerge But obviously, this sucks :-)
Well it's not exactly a least change policy either. I have a system that glsa-check insistent on install python 2.3.5 on even though python 2.4 was already installed. I believe that correct behavior would have been to do nothing in this case. -- fixing 200610-07 >>> merging dev-lang/python-2.3.5-r3 Calculating dependencies... done! >>> Emerging (1 of 1) dev-lang/python-2.3.5-r3 to / --
Well, I'd bet you also have another version of python-2.3 installed that is vulnerable and therefore has to be upgraded.
r403 has a new --emergelike option to use a strategy similar to emerge when selecting upgrades.
Released in gentoolkit-0.2.4_pre6