I think there should be a way to distinguish security vs non-security updates. Although I understand that gentoo is a rolling release and you should generally roll along, I think that users may want to concentrate updates of big packages, or delay updates during critical times, but they have now way to distinguish between a security update, which should be done as soon as possible, and a feature/bugfix update, which can be postponed safely. I propose a scheme in which every package directory in the portage tree contains a file in which versions who are security updates are noted. Then emerge should show security updates (that is, updates in which there exists an intermediate version between installed and installable which is marked as "security") from non-security ones. The file could be eventually pruned from old versions which exit portage, but it should always keep at least the last security-related update, so users who have a version which is now out of portage still know that the update is for security Reproducible: Always
You are aware of http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=14 ?
Yes I am, but that is a script that needs to be run manually, what I'm suggesting instead would appear in the output of emerge. Besides, my proposal would: 1) Allow information to be tied to single packages instead of having a conglomerate of xml files 2) Allow outdated information to be purged out of the portage tree 3) Allow much cheaper checking of packages affected by glsa [not needing to read every glsa, but only those affecting installed packages]
Just a small note: if this ever gets implemented the data needed is not the update which is a security update, but the versions affected by each security problem, as something older versions are not affected