Overview Description: emerge --usepkg[only] does not take USE flags into account at all. If a matching binary package exists, it will be merged even if the USE flags in that binary package contradict the flags set for that package. This behaviour can already be detected when comparing the pretended outputs of a regular and a binary merge, they differ in the USE flags. This can lead to serious trouble, e.g. if you have openssh compiled with LDAP support to authenticate against an LDAP directory, and accidentally binary-merge a version without LDAP support, you can easily lock yourself out of your remote server. Because there are several other possibilities how this behaviour can break your system, I chose "major" for the severity of this bug. IMHO emerge -k should reject binary packages with wrong USE flags and compile the package, emerge -K should refuse to do anything. Steps to reproduce: 1) Choose any package with USE flags to test this. For that package, choose a USE flag which you're going to modify to test this issue. I'll choose www-client/links here, because it's small and the "ssl" USE flag is easy to test. 2) Check the currently active USE flags, and build a binary package: # emerge -pv www-client/links [ebuild R ] www-client/links-2.1_pre20 USE="... -ssl ..." # quickpkg www-client/links Here I first have the "ssl" flag deactivated, so I build the binary package without SSL support. 3) Change (invert) the USE flag you have chosen: # echo "www-client/links ssl" >> /etc/portage/package.use # emerge -pv www-client/links [ebuild R ] www-client/links-2.1_pre20 USE="ssl* ..." So links will be rebuilt with SSL support. 4) Rebuild the package: # emerge www-client/links 5) Compare the pretended actions of a regular and a binary merge: # emerge -pv www-client/links [ebuild R ] www-client/links-2.1_pre20 USE="ssl ..." # emerge -pvk www-client/links [binary R ] www-client/links-2.1_pre20 USE="... -ssl ..." Here you already see what will happen: The binary merge will install links without SSL support, although the "ssl" flag is active. 6) Perform the binary merge: # emerge -k www-client/links 7) Verify that the package actually has been installed with the wrong USE flags: # links https://bugs.gentoo.org Error loading https://bugs.gentoo.org/: This version of Links does not contain SSL/TLS support Actual Results: The binary package has been installed although it's USE flags do not match the flags set for that package. Expected Results: emerge -k should regularly compile the package with the correct USE flags, thus ignoring the binary package. emerge -K should refuse to do any merges. Build Date & Platform Tested with portage-2.1 and portage-2.0.54-r2 on Gentoo Linux x86 (2006.0 profile), gcc-3.4.6-r1 and gcc-3.3.6
While working on some nearby code I noticed that --newuse should give you the behavior that you want.