Using app-portage/gentoolkit-0.2.1_pre9 and running "glsa-check -f all" when it gets to 200510-11, it attempts to install dev-libs/openssl-0.9.8-r1. This fails automatically the ebuild for that version of openssl has KEYWORDS="-*" and is masked in /usr/portage/profiles/package.mask In other words, it is being masked from being installed on any arch. Reproducible: Always Steps to Reproduce: 1. emerge sync 2. emerge --update gentoolkit 3. glsa-check -f all Actual Results: fixing 200510-11 >>> merging dev-libs/openssl-0.9.8-r1 Calculating dependencies !!! All ebuilds that could satisfy "=dev-libs/openssl-0.9.8-r1" have been masked. !!! One of the following masked packages is required to complete your request: - dev-libs/openssl-0.9.8-r1 (masked by: package.mask, -* keyword) # Martin Schlemmer <azarah@gentoo.org> (05 Jul 2005) # Masked for testing, as it breaks api For more information, see MASKED PACKAGES section in the emerge man page or refer to the Gentoo Handbook. Expected Results: gentoolkit only attempt to install packages marked ~arch as gentoolkit is ~arch
Which openssl version do you have installed?
I'm seeing the same thing. I have openssl-0.9.7i installed. garath ~ # glsa-check -t all WARNING: This tool is completely new and not very tested, so it should not be used on production systems. It's mainly a test tool for the new GLSA release and distribution system, it's functionality will later be merged into emerge and equery. Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml before using this tool AND before reporting a bug. This system is affected by the following GLSA: 200510-11 garath ~ # glsa-check -p 200510-11 WARNING: This tool is completely new and not very tested, so it should not be used on production systems. It's mainly a test tool for the new GLSA release and distribution system, it's functionality will later be merged into emerge and equery. Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml before using this tool AND before reporting a bug. Checking GLSA 200510-11 The following updates will be performed for this GLSA: dev-libs/openssl-0.9.8-r1 (0.9.7i) Portage 2.0.53_rc7 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r3, 2.6.12-gentoo-r6 i686) ================================================================= System uname: 2.6.12-gentoo-r6 i686 Intel(R) Pentium(R) 4 CPU 1.80GHz Gentoo Base System version 1.12.0_pre9 ccache version 2.4 [enabled] dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.13 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.20-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium4 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache cvs distlocks fixpackages sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.osuosl.org http://www.ibiblio.org/pub/linux/distributions/gentoo http://gentoo.mirrors.pair.com/" LINGUAS="en" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X acpi alsa apache2 arts artswrappersuid audiofile avi bash-completion berkdb bitmap-fonts cdr crypt cups curl dvd eds emboss encode fam fbcon flac foomaticdb fortran gdbm gif gpm gstreamer gtk gtk2 imagemagick imlib java javascript jpeg kde kdeenablefinal kdexdeltas libg++ libwww mad maildir mikmod mmx motif mp3 mpeg ncurses nls nptl nsplugin ogg oggvorbis opengl pam pdflib perl png ppds python qt quicktime readline samba sasl sdl spell sqlite sse ssl tcltk tcpd tiff truetype truetype-fonts type1-fonts udev usb vorbis win32codecs xine xml2 xmms xscreensaver xv zlib linguas_en userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, MAKEOPTS
not a glsa-check bug then (it won't downgrade stuff, and the next unaffected atom higher than 0.9.7i is >=0.9.8-r1). Security, Az: Either you have to update the GLSA or mark some version matching >=0.9.8-r1 as stable.
I'll update the GLSA. The problem comes from the addition of an intermediary fixed version (0.9.7i) while we still don't support ranges in portage/GLSA spec. Was: ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/openssl < 0.9.8-r1 >= 0.9.8-r1 *>= 0.9.7h *>= 0.9.7g-r1 *>= 0.9.7e-r2 Will be : ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/openssl < 0.9.7h >= 0.9.7h *>= 0.9.7g-r1 *>= 0.9.7e-r2
Fixed in CVS. Should be in the tree in an hour. Please reopen if it doesn't fix it.
But isn't 0.9.8 still affected, despite the change in the glsa?
Sure. But hardmasked versions are not security-supported, and we can't do better with current portage/glsa limitations... I don't want this GLSA to have to be updated when 0.9.7[j-z] appears.