glsa-check tries to remerge gnome-vfs-2.8.4-r1 because gnome-vfs-1.0.5-r3 is installed and GLSA 200504-07 marks it as affected: root@cube:~# equery list gnome-vfs [ Searching for package 'gnome-vfs' in all categories among: ] * installed packages [I--] [ ] gnome-base/gnome-vfs-1.0.5-r3 (1) [I--] [ ] gnome-base/gnome-vfs-2.8.4-r1 (2) root@cube:~# glsa-check -p 200504-07 WARNING: This tool is completely new and not very tested, so it should not be used on production systems. It's mainly a test tool for the new GLSA release and distribution system, it's functionality will later be merged into emerge and equery. Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml before using this tool AND before reporting a bug. Checking GLSA 200504-07 The following updates will be performed for this GLSA: gnome-base/gnome-vfs-2.8.4-r1 (2.8.4-r1) Reproducible: Always Steps to Reproduce: 1. equery list gnome-vfs 2. glsa-check -p 200504-07 Actual Results: root@cube:~# equery list gnome-vfs [ Searching for package 'gnome-vfs' in all categories among: ] * installed packages [I--] [ ] gnome-base/gnome-vfs-1.0.5-r3 (1) [I--] [ ] gnome-base/gnome-vfs-2.8.4-r1 (2) root@cube:~# glsa-check -p 200504-07 WARNING: This tool is completely new and not very tested, so it should not be used on production systems. It's mainly a test tool for the new GLSA release and distribution system, it's functionality will later be merged into emerge and equery. Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml before using this tool AND before reporting a bug. Checking GLSA 200504-07 The following updates will be performed for this GLSA: gnome-base/gnome-vfs-2.8.4-r1 (2.8.4-r1) Expected Results: Don't remerge gnome-vfs-2.8.4-r1. Gentoo Base System version 1.4.16 Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5, glibc-2.3.4.20041102-r1, 2.6.10-infra-r2-cube-1 i686) ================================================================= System uname: 2.6.10-infra-r2-cube-1 i686 AMD Athlon(tm) XP 1700+ Python: dev-lang/python-2.3.4-r1 [2.3.4 (#1, Feb 8 2005, 02:37:46)] distcc 2.16 i586-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] dev-lang/python: 2.3.4-r1 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.5, 1.7.9-r1, 1.4_p6, 1.9.4, 1.6.3, 1.8.5-r3 sys-devel/binutils: 2.15.92.0.2-r7 sys-devel/libtool: 1.5.10-r4 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=pentium -mcpu=athlon-tbird -O3 -pipe" CHOST="i586-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /usr/vice/etc /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/afs/C /etc/afs/afsws /etc/afs/modload /etc/gconf /etc/make.globals /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium -mcpu=athlon-tbird -O3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache collision-protect distcc distlocks fixpackages sandbox sfperms strict test userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.easynet.nl/mirror/gentoo/ http://gentoo.inode.at/ ftp://gentoo.inode.at/source/" LANG="en_US" MAKEOPTS="-j10" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp/portage" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage-local--main--1.0" SYNC="rsync://copper.sascha.silbe.org/gentoo-portage" USE="x86 3dnow S3TC X acl afs alsa apm avi bash-completion berkdb bitmap-fonts blas bzip2 bzlib cdr chipcard crypt curl doc dvd dvdr ecc emboss encode fam flac foomaticdb fortran gdbm gif gimpprint gtk gtk2 gtkhtml guile hbci imagemagick imap imlib ipv6 j-noaim j-nomsn j-noyahoo jabber jpeg lapack lcms libg++ libwww lvm1 mad maildir makecheck mbox mikmod mmx monitor mozsvg mp3 mpeg mysql nas ncurses nls nodrm offensive oggvorbis opengl oss pam pdflib plotutils png postgres python qt qtmt quicktime readline samba scanner sdl serial skey smartcard spell sqlite sse ssl tetex tiff truetype truetype-fonts type1-fonts unicode userlocales xml xml2 xv xvid zlib linguas_en,de" Unset: ASFLAGS, CBUILD, CTARGET, LC_ALL, LDFLAGS
There are two things here: - GLSA 200504-07 marking gnome-vfs-1.* as affected - glsa-check doesn't include enough information to be able to understand the issue at hand (the "The following updates will be performed for this GLSA: gnome-base/gnome-vfs-2.8.4-r1 (2.8.4-r1)" is clearly misleading). For the first thing we must first make sure that gnome-vfs-1.* is not affected by this before correcting the GLSA (or patching that SLOT too). For the second we should file a separate bug in Portage tools. Will do.
See bug 88483 for the second part.
gnome-vfs-1.* is affected by this flaw, so the GLSA is correct, closing this bug as WORKSFORME. That said, maybe the GNOME team should have patched the gnome-vfs-1 line too, rather than forcing everyone to remove that package. Reopening original bug 84936 to ask them the question.
