Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 598182 - Multiple invalid GLSAs
Summary: Multiple invalid GLSAs
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-27 07:33 UTC by Michał Górny
Modified: 2016-10-27 13:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-10-27 07:33:08 UTC 
WARNING pkgcore: invalid glsa- glsa-201607-11.xml, package www-apps/bugzilla:
               : error range rgt version 4.4.12 is a guaranteed empty set
WARNING pkgcore: invalid glsa- glsa-201610-06.xml, package dev-db/mariadb:
               : error range rgt version 5.5.51 is a guaranteed empty set
WARNING pkgcore: invalid glsa- glsa-201610-05.xml, package dev-vcs/subversion:
               : error range rgt version 1.8.16 is a guaranteed empty set


Could you please fix them since they're spamming the pkgcheck output terribly?
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-10-27 08:09:08 UTC 
(In reply to Michał Górny from comment #0)
> WARNING pkgcore: invalid glsa- glsa-201607-11.xml, package www-apps/bugzilla:
>                : error range rgt version 4.4.12 is a guaranteed empty set
> WARNING pkgcore: invalid glsa- glsa-201610-06.xml, package dev-db/mariadb:
>                : error range rgt version 5.5.51 is a guaranteed empty set
> WARNING pkgcore: invalid glsa- glsa-201610-05.xml, package
> dev-vcs/subversion:
>                : error range rgt version 1.8.16 is a guaranteed empty set
> 
> 
> Could you please fix them since they're spamming the pkgcheck output
> terribly?

I don't immediately agree this is wrong specification as an end user can have a different copy of the tree that have these versions available.

Maybe you can alter your pkgcheck and filter out things you don't like locally
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-10-27 08:29:14 UTC 
(In reply to Kristian Fiskerstrand from comment #1)
> (In reply to Michał Górny from comment #0)
> > WARNING pkgcore: invalid glsa- glsa-201607-11.xml, package www-apps/bugzilla:
> >                : error range rgt version 4.4.12 is a guaranteed empty set
> > WARNING pkgcore: invalid glsa- glsa-201610-06.xml, package dev-db/mariadb:
> >                : error range rgt version 5.5.51 is a guaranteed empty set
> > WARNING pkgcore: invalid glsa- glsa-201610-05.xml, package
> > dev-vcs/subversion:
> >                : error range rgt version 1.8.16 is a guaranteed empty set
> > 
> > 
> > Could you please fix them since they're spamming the pkgcheck output
> > terribly?
> 
> I don't immediately agree this is wrong specification as an end user can
> have a different copy of the tree that have these versions available.

The check doesn't check for available packages. It's saying that this spec can *never ever* match anything.

AFAICS, it complains about that when rlt/rgt operator is used without a revision. Not sure if that's valid for rgt though... lack of proper documentation for those operators is not helping.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-10-27 13:32:35 UTC 
Ok, it seems that the GLSA handling in pkgcore is indeed wrong.

https://github.com/pkgcore/pkgcore/pull/223