Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 598182

Summary: Multiple invalid GLSAs
Product: Gentoo Linux Reporter: Michał Górny <mgorny>
Component: Current packagesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: radhermit
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-10-27 07:33:08 UTC 
WARNING pkgcore: invalid glsa- glsa-201607-11.xml, package www-apps/bugzilla:
               : error range rgt version 4.4.12 is a guaranteed empty set
WARNING pkgcore: invalid glsa- glsa-201610-06.xml, package dev-db/mariadb:
               : error range rgt version 5.5.51 is a guaranteed empty set
WARNING pkgcore: invalid glsa- glsa-201610-05.xml, package dev-vcs/subversion:
               : error range rgt version 1.8.16 is a guaranteed empty set


Could you please fix them since they're spamming the pkgcheck output terribly?
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-10-27 08:09:08 UTC 
(In reply to Michał Górny from comment #0)
> WARNING pkgcore: invalid glsa- glsa-201607-11.xml, package www-apps/bugzilla:
>                : error range rgt version 4.4.12 is a guaranteed empty set
> WARNING pkgcore: invalid glsa- glsa-201610-06.xml, package dev-db/mariadb:
>                : error range rgt version 5.5.51 is a guaranteed empty set
> WARNING pkgcore: invalid glsa- glsa-201610-05.xml, package
> dev-vcs/subversion:
>                : error range rgt version 1.8.16 is a guaranteed empty set
> 
> 
> Could you please fix them since they're spamming the pkgcheck output
> terribly?

I don't immediately agree this is wrong specification as an end user can have a different copy of the tree that have these versions available.

Maybe you can alter your pkgcheck and filter out things you don't like locally
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-10-27 08:29:14 UTC 
(In reply to Kristian Fiskerstrand from comment #1)
> (In reply to Michał Górny from comment #0)
> > WARNING pkgcore: invalid glsa- glsa-201607-11.xml, package www-apps/bugzilla:
> >                : error range rgt version 4.4.12 is a guaranteed empty set
> > WARNING pkgcore: invalid glsa- glsa-201610-06.xml, package dev-db/mariadb:
> >                : error range rgt version 5.5.51 is a guaranteed empty set
> > WARNING pkgcore: invalid glsa- glsa-201610-05.xml, package
> > dev-vcs/subversion:
> >                : error range rgt version 1.8.16 is a guaranteed empty set
> > 
> > 
> > Could you please fix them since they're spamming the pkgcheck output
> > terribly?
> 
> I don't immediately agree this is wrong specification as an end user can
> have a different copy of the tree that have these versions available.

The check doesn't check for available packages. It's saying that this spec can *never ever* match anything.

AFAICS, it complains about that when rlt/rgt operator is used without a revision. Not sure if that's valid for rgt though... lack of proper documentation for those operators is not helping.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-10-27 13:32:35 UTC 
Ok, it seems that the GLSA handling in pkgcore is indeed wrong.

https://github.com/pkgcore/pkgcore/pull/223