Since build time dependencies are considered optional for built/installed packages, build time slot operator deps do not necessarily trigger rebuilds. For example, following a dev-lang/go subslot upgrade, this can prevent rebuilds of packages that have a build time dev-lang/go:= dependency.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=075c1951e1ac84e99a2219ff14be4a366d274f36 commit 075c1951e1ac84e99a2219ff14be4a366d274f36 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2020-10-16 19:43:54 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-11-01 21:11:09 +0000 cnf/sets/portage.conf: add new sets for go rebuilding go packages go-built binaries may contain security vulnerabilities if a binary built with vulnerable compiler. go is known to embed vulnerable code to all binaries it builds, if vulnerability was present in the compiler or one of standard libraries. This commit adds `golang-rebuild` set, which allows easy rebuild of most go-compiled system packages. simple 'emerge @golang-rebuild' should rebuild everything affected. a prompt to run this command can be added to postinst message in dev-lang/go ebuild. Closes: https://github.com/gentoo/portage/pull/630 Bug: https://bugs.gentoo.org/752153 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> Signed-off-by: Zac Medico <zmedico@gentoo.org> cnf/sets/portage.conf | 6 ++++++ 1 file changed, 6 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43cc36f055d6c4fd9c8761ecb50f57027180a1dd commit 43cc36f055d6c4fd9c8761ecb50f57027180a1dd Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-11-02 01:57:51 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-11-02 01:58:00 +0000 sys-apps/portage: Bump to version 3.0.9 #199722 Enable QA Notice for deprecated hasq/useq in *rm phases #704498 Fix pid-sandbox to handle Ctrl+Z correctly #752066 Add emerge --quickpkg-direct-root option #752147 Fix make.conf to expand special *ROOT variables #752153 Add @golang-rebuild package set Bug: https://bugs.gentoo.org/752168 Bug: https://bugs.gentoo.org/199722 Bug: https://bugs.gentoo.org/704498 Bug: https://bugs.gentoo.org/752066 Bug: https://bugs.gentoo.org/752147 Bug: https://bugs.gentoo.org/752153 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/portage/Manifest | 1 + sys-apps/portage/portage-3.0.9.ebuild | 267 ++++++++++++++++++++++++++++++++++ 2 files changed, 268 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=e9c0ef7609e8e2068af8c9c7138f1a2dc22fcfb0 commit e9c0ef7609e8e2068af8c9c7138f1a2dc22fcfb0 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-11-15 04:25:22 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-11-15 05:54:37 +0000 Add slot operator := BDEPEND unit tests for bug 752153 Test these two distinct cases: 1) Regular dev-lang/go upgrade, with rebuild of packages that have dev-lang/go:= in BDEPEND. 2) Rebuild of packages that have dev-lang/go:= in BDEPEND, after the built slot operator deps have already been broken by an earlier dev-lang/go upgrade. Bug: https://bugs.gentoo.org/752153 Signed-off-by: Zac Medico <zmedico@gentoo.org> .../tests/resolver/test_slot_operator_bdeps.py | 209 +++++++++++++++++++++ 1 file changed, 209 insertions(+)
I think this is arguably a PMS issue (or Go and Rust packages should (R)DEPEND w/ := on Go/Rust to allow the rebuilds, but that would be pretty annoying for some, I guess.)
