Qemu, all packages, i use 8.2.3 as stable at the moment, depend on ipxe-1.21.1, so the new snapshot package sys-firmware/ipxe-1.21.1_p20230601 can not be used and forces a downgrade again to the older version. (I masked the old 1.21.1 version, therefore the message) ================================================================== !!! The following update has been skipped due to unsatisfied dependencies: app-emulation/qemu:0 selected: (app-emulation/qemu-8.2.3:0/0::gentoo, installed) skipped: (app-emulation/qemu-8.2.3:0/0::gentoo, ebuild scheduled for merge) (see unsatisfied dependency below) !!! All ebuilds that could satisfy "~sys-firmware/ipxe-1.21.1[binary,qemu]" have been masked. !!! One of the following masked packages is required to complete your request: - sys-firmware/ipxe-1.21.1::gentoo (masked by: package.mask) (dependency required by "app-emulation/qemu-8.2.3::gentoo[qemu_softmmu_targets_x86_64,pin-upstream-blobs,qemu_softmmu_targets_i386]" [ebuild]) For more information, see the MASKED PACKAGES section in the emerge man page or refer to the Gentoo Handbook. ================================================================== This change would also fix: #882393 <sys-firmware/ipxe-1.21.1_p20230601: padding oracle attack vulnerability
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b066a3e914a63e361dfd03ff285fb2e885567cc commit 7b066a3e914a63e361dfd03ff285fb2e885567cc Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2025-02-22 20:46:33 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2025-02-22 20:46:33 +0000 app-emulation/qemu: update ipxe version Bug: https://bugs.gentoo.org/935455 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> app-emulation/qemu/qemu-9999.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The whole point of the pin-upstream-blobs useflag is to have immutable firmware. So switch that off and be happy?
Perhaps we ought to change its default, though.