Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 117458 - Dependancy change in x11-libs/openmotif-2.2.3-r8 blocks security update
Summary: Dependancy change in x11-libs/openmotif-2.2.3-r8 blocks security update
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: jaervosz
Depends on:
Reported: 2006-01-02 07:54 UTC by Sascha Silbe
Modified: 2006-08-30 21:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Silbe 2006-01-02 07:54:14 UTC
"glsa-check -f 200512-16" doesn't work because the to-be-installed x11-libs/openmotif-2.2.3-r8 depends on x11-libs/motif-config-0.9, which is blocked by the currently-installed (and insecure) x11-libs/openmotif-2.2.3-r3.

root@cube:~# glsa-check -f 200512-16
fixing 200512-16
>>> merging x11-libs/openmotif-2.2.3-r8
Calculating dependencies ...done!

!!! Error: the =x11-libs/openmotif-2.2.3-r3 package conflicts with another package.
!!!        both can't be installed on the same system together.
!!!        Please use 'emerge --pretend' to determine blockers.

root@cube:~# equery list openmotif
[ Searching for package 'openmotif' in all categories among: ]
 * installed packages
[I--] [  ] x11-libs/openmotif-2.2.3-r3 (2.2)
root@cube:~# emerge -pv openmotif

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[blocks B     ] =x11-libs/openmotif-2.2.3-r3 (is blocking x11-libs/motif-config-0.9)
[ebuild  N    ] x11-libs/motif-config-0.9  0 kB 
[ebuild     U ] x11-libs/openmotif-2.2.3-r8 [2.2.3-r3] 0 kB 

Total size of downloads: 0 kB
root@cube:~# equery list motif-config
[ Searching for package 'motif-config' in all categories among: ]
 * installed packages
root@cube:~# emerge -pv =x11-libs/motif-config-0.9

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[blocks B     ] =x11-libs/openmotif-2.2.3-r3 (is blocking x11-libs/motif-config-0.9)
[ebuild  N    ] x11-libs/motif-config-0.9  0 kB 

Total size of downloads: 0 kB
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2006-01-02 08:48:18 UTC
Reassigning to portage-tools as they maintain glsa-check.
Comment 2 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2006-01-05 02:03:38 UTC
Unless you want us to somehow guess as to which package to unmerge to fix the blocker we aren't going to special case this GLSA just so that the automated fix works.
Comment 3 Sascha Silbe 2006-01-05 03:17:29 UTC
The bug is that there's a blocker at all. Security updates shouldn't change API (in this case: dependancies).
Instead of taking the latest unstable revision (upstream version is still the same!) and just marking it stable there should have been a copy of the old stable revision just including the security fix, no other changes at all.

It's not about the tool glsa-check, but about the way the openmotif maintainers handled the security update.
Comment 4 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2006-01-05 03:35:41 UTC
Re-assigning to security.
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2006-01-05 04:13:00 UTC
Sascha we don't have any policy to enforce what you wish.

The GLSA resoultion is incomplete and should be fixed.
Comment 6 Toni DiBoulda 2006-01-06 17:54:02 UTC
Well, seeing as how -- to put it mildly -- the new motif ebuilds are far from
ready for prime-time for more than this reason and over the last 7 days it
has been confirmed independently from 3 different motif experts that the patch
in bug 114234 is a dud, wouldn't it be better to just go back to working
ebuilds until a better solution is found?
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2006-01-07 12:54:12 UTC
Toni, could you point to some references. The only bug I can find refers to the blocking deps.
Comment 8 Toni DiBoulda 2006-01-08 16:33:15 UTC
Sune, when searching for unsettled motif bugs, you'll have to include 
resolution "FIXED" in search term because motif bugs are often marked that 
way long before they are really fixed (Bug #29388 Comment #167 has a nice, 
but incomplete, collection). Most prominent outstanding bugs are:

1.  all packages providing virtual/motif are ABI incompatible. Therefore, 
1a. dependency calculation and binary packages are broken, there is no way 
    to tell which virtual was used at compile time.
1b. revdep-rebuild is majorly confused about this invalid situation.
(it's also intoducing some kind of libtool hell if dependant libraries are 
involved, very complex issue, please talk to the motif programmers listening 
on the motif bug)

2.  not all programs that work with openmotif work with lesstif as well. Even 
    if motif-config and virtual/motif otherwise worked, rest of portage tree 
    is far from ready for it.

3.  used motif-config setting at build time is unknown to portage during 
    upgrades, this is a major step backwards compared to old motif ebuilds.
    (bug #86822)

4.  mwm users get a different windowmanager everytime they use motif-config(!)

5.  openmotif ebuilds do not result in complete motif installation 
    (supposedly due to imaginary licensing issues with lesstif(?), 
    bug #91951)

and (drumroll please)

6.  patch for bug #114234 is not very effective (only catches very small 
    subset of problems and half of it isn't even right). I just noticed 
    somebody already did report it. Still in 2005, right there in bug 114234.
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2006-01-30 13:50:23 UTC
GLSA updated.
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2006-02-06 12:18:22 UTC
Toni please open a new bug assigned to openmotif/qa. I'm closing this one as Security is done here.
Comment 11 Toni DiBoulda 2006-02-07 15:01:48 UTC
Your bug-wrangler seems to disagree. Within minutes I got a duplicate on
some dumping ground for blocking issues, of course ignoring all the other
pressing issues, including most important: security fixes should fix one
thing and one thing only: the security bug.

I vote for reopening this one. It may need reassignment, if security can't
do anything more(?), but if this bug is anything, it is not "FIXED"! In fact,
nothing changed.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2006-02-07 15:28:38 UTC

glsa-check might not handle blockers pretty but that is all we can do at the moment.

If there are any other security implications I fail to see, please enlighten me.
Comment 13 Heinrich Wendel (RETIRED) gentoo-dev 2006-02-16 07:46:43 UTC
Toni: I closed all bugs you mentionend with a reasonable comment and fix and nobody replied otherwise and those bugs. If you feel that they are not fixed go ahead reopen them and give a reason.
Comment 14 Sanni Täter 2006-03-21 18:13:43 UTC
Being one of the victims, I can confirm not a single one of the bugs in 
comment #8 have been resolved up to this day; let me also add bug #85151, 
reported more than one year ago, not fixed.  And no, "fixed" is not a 
reasonable comment, considering nothing is fixed, especially considering 
bug #85151 has been marked fixed a couple of times without any changes 
being made in that timeframe. This is also true for a number of other bugs.

In reply to comment #12, the security considerations I (and most of the 
other victims) see are that in order to reliably develop motif applications 
with Gentoo, you have to fall back to ebuilds way prior to the motif-config 
transition, none of which have the security patch applied.
Comment 15 Baby Smurf 2006-08-30 21:19:13 UTC

"Unless you want us to somehow guess..."
"we don't have any policy to enforce what you wish"
"Security is done here"
"I fail to see, please enlighten me"
"I closed all bugs with a reasonable comment"

Excellent security job there, boys!  LOL!!!