"glsa-check -f 200512-16" doesn't work because the to-be-installed x11-libs/openmotif-2.2.3-r8 depends on x11-libs/motif-config-0.9, which is blocked by the currently-installed (and insecure) x11-libs/openmotif-2.2.3-r3. root@cube:~# glsa-check -f 200512-16 fixing 200512-16 >>> merging x11-libs/openmotif-2.2.3-r8 Calculating dependencies ...done! !!! Error: the =x11-libs/openmotif-2.2.3-r3 package conflicts with another package. !!! both can't be installed on the same system together. !!! Please use 'emerge --pretend' to determine blockers. root@cube:~# equery list openmotif [ Searching for package 'openmotif' in all categories among: ] * installed packages [I--] [ ] x11-libs/openmotif-2.2.3-r3 (2.2) root@cube:~# emerge -pv openmotif These are the packages that I would merge, in order: Calculating dependencies ...done! [blocks B ] =x11-libs/openmotif-2.2.3-r3 (is blocking x11-libs/motif-config-0.9) [ebuild N ] x11-libs/motif-config-0.9 0 kB [ebuild U ] x11-libs/openmotif-2.2.3-r8 [2.2.3-r3] 0 kB Total size of downloads: 0 kB root@cube:~# equery list motif-config [ Searching for package 'motif-config' in all categories among: ] * installed packages root@cube:~# emerge -pv =x11-libs/motif-config-0.9 These are the packages that I would merge, in order: Calculating dependencies ...done! [blocks B ] =x11-libs/openmotif-2.2.3-r3 (is blocking x11-libs/motif-config-0.9) [ebuild N ] x11-libs/motif-config-0.9 0 kB Total size of downloads: 0 kB root@cube:~#
Reassigning to portage-tools as they maintain glsa-check.
Unless you want us to somehow guess as to which package to unmerge to fix the blocker we aren't going to special case this GLSA just so that the automated fix works.
The bug is that there's a blocker at all. Security updates shouldn't change API (in this case: dependancies). Instead of taking the latest unstable revision (upstream version is still the same!) and just marking it stable there should have been a copy of the old stable revision just including the security fix, no other changes at all. It's not about the tool glsa-check, but about the way the openmotif maintainers handled the security update.
Re-assigning to security.
Sascha we don't have any policy to enforce what you wish. The GLSA resoultion is incomplete and should be fixed.
Well, seeing as how -- to put it mildly -- the new motif ebuilds are far from ready for prime-time for more than this reason and over the last 7 days it has been confirmed independently from 3 different motif experts that the patch in bug 114234 is a dud, wouldn't it be better to just go back to working ebuilds until a better solution is found?
Toni, could you point to some references. The only bug I can find refers to the blocking deps.
Sune, when searching for unsettled motif bugs, you'll have to include resolution "FIXED" in search term because motif bugs are often marked that way long before they are really fixed (Bug #29388 Comment #167 has a nice, but incomplete, collection). Most prominent outstanding bugs are: 1. all packages providing virtual/motif are ABI incompatible. Therefore, 1a. dependency calculation and binary packages are broken, there is no way to tell which virtual was used at compile time. 1b. revdep-rebuild is majorly confused about this invalid situation. (it's also intoducing some kind of libtool hell if dependant libraries are involved, very complex issue, please talk to the motif programmers listening on the motif bug) 2. not all programs that work with openmotif work with lesstif as well. Even if motif-config and virtual/motif otherwise worked, rest of portage tree is far from ready for it. 3. used motif-config setting at build time is unknown to portage during upgrades, this is a major step backwards compared to old motif ebuilds. (bug #86822) 4. mwm users get a different windowmanager everytime they use motif-config(!) 5. openmotif ebuilds do not result in complete motif installation (supposedly due to imaginary licensing issues with lesstif(?), bug #91951) and (drumroll please) 6. patch for bug #114234 is not very effective (only catches very small subset of problems and half of it isn't even right). I just noticed somebody already did report it. Still in 2005, right there in bug 114234.
GLSA updated.
Toni please open a new bug assigned to openmotif/qa. I'm closing this one as Security is done here.
Your bug-wrangler seems to disagree. Within minutes I got a duplicate on some dumping ground for blocking issues, of course ignoring all the other pressing issues, including most important: security fixes should fix one thing and one thing only: the security bug. I vote for reopening this one. It may need reassignment, if security can't do anything more(?), but if this bug is anything, it is not "FIXED"! In fact, nothing changed.
http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/security/en/glsa/glsa-200512-16.xml?r1=1.1&r2=1.2&root=gentoo glsa-check might not handle blockers pretty but that is all we can do at the moment. If there are any other security implications I fail to see, please enlighten me.
Toni: I closed all bugs you mentionend with a reasonable comment and fix and nobody replied otherwise and those bugs. If you feel that they are not fixed go ahead reopen them and give a reason.
Being one of the victims, I can confirm not a single one of the bugs in comment #8 have been resolved up to this day; let me also add bug #85151, reported more than one year ago, not fixed. And no, "fixed" is not a reasonable comment, considering nothing is fixed, especially considering bug #85151 has been marked fixed a couple of times without any changes being made in that timeframe. This is also true for a number of other bugs. In reply to comment #12, the security considerations I (and most of the other victims) see are that in order to reliably develop motif applications with Gentoo, you have to fall back to ebuilds way prior to the motif-config transition, none of which have the security patch applied.
LOL!!! "Unless you want us to somehow guess..." "we don't have any policy to enforce what you wish" "Security is done here" "I fail to see, please enlighten me" "I closed all bugs with a reasonable comment" Excellent security job there, boys! LOL!!!
