Our GLSAs currently use the following commands as update instructions : # emerge sync # emerge -pv ">=media-libs/libpng-1.2.5-r8" # emerge ">=media-libs/libpng-1.2.5-r8" It's not a good idea, since it will record libpng in your world file, which is probably not wanted since it's a library. glsa-check does it the right way, it uses "--oneshot" to prevent that. Furthermore since 2.0.50 we have the "--ask" option which removes the need to do a pretend first. So we should rather use : # emerge sync # emerge --ask --oneshot ">=media-libs/libpng-1.2.5-r8" or maybe : # emerge sync # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.5-r8" Unfortunately, --oneshot has no short option.
No objection to changing this in GLSAMaker if I see two approval+ flags on this bug...
I know that Kurt wanted to wait for 2.0.51 to be out to have "--ask" in instructions.
Second approval... but wait for klieber to ack.
Hmm I set a pending+ but I meant approval+. Don't know how to set a second approval+ flag.
Portage 2.0.51 is out. I think it's now time we simplify GLSA instructions by taking advantages of 2.0.50 flags :) Three proposals : 1# emerge sync 1# emerge --ask --oneshot ">=media-libs/libpng-1.2.5-r8" 2# emerge sync 2# emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.5-r8" 3# emerge sync 3# emerge -av --oneshot ">=media-libs/libpng-1.2.5-r8" My preference goes to 1. The verbose flag is not *needed*, and it's concise enough. Otherwise I would go for solution 2, but I find it a little lengthy.
please use `emerge --sync` instead of `emerge sync`.
My concern (and the reason I wanted to wait for .51) is that some folks will still be running older versions of portage and these instructions will break for them. This confuses (some of) our users and results in a flurry of pissed off emails to security@g.o. I agree with the need to take advantage of the new flags -- I'm not suggesting we don't. However, is there a way we can at least note in the GLSA something like, "(depends on Portage 2.0.50 and above)" or something? As for Koon's three suggestions, I like #2 better, but I'm fine with #1 if that's what other folks want.
Seriously, I think people keeping portage<2.0.50 for whatever reason should have no trouble translating the instructions. If we get any hate mail / bug about it then we might add a notice in the GLSA but frankly I don't see that as necessary beforehand. Please vote on proposals, for the moment 1 and 2 are tied : 1# emerge --sync 1# emerge --ask --oneshot ">=media-libs/libpng-1.2.5-r8" 2# emerge --sync 2# emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.5-r8"
I would prefer version 2 (with --verbose), since -v was included up to now too and this way use flags can be seen.
A little late but :). I agree with #9, I'd go for 2 as well.
Version 2 it will be, then. Boilerplate fixed, future GLSAs will have the new resolution guidelines.
