Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 513718 - [TRACKER] Multilib dependencies need to be >= on min-ver(EAPI=5, supporting multilib)
Summary: [TRACKER] Multilib dependencies need to be >= on min-ver(EAPI=5, supporting m...
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Multilib team
URL:
Whiteboard:
Keywords: Tracker
Depends on: 513770 513772 513774 513776 513778 513780 513782 513784 513786 513788 513790 513792 513794 513796 513798 513800 517442
Blocks: 525256
  Show dependency tree
 
Reported: 2014-06-18 18:41 UTC by Michał Górny
Modified: 2015-07-08 18:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2014-06-18 18:41:19 UTC
EAPI magicians can probably tell you more but long story short, EAPI<5 ebuilds can randomly satisfy ${MULTILIB_USEDEP} deps. This results in two big issues:

1. random old ebuilds can pretend to be multilib when they're not, effectively breaking other multilib ebuilds,

2. repoman won't complain when you stabilize multilib ebuild with unstable deps, and then emerge will want to downgrade to EAPI<5 version to 'satisfy' deps on stable.

Since so far there's no good solution for this, we've decided to go the hard way and require every multilib dependency to have >= operator and version matching either first ebuild of continuous EAPI=5 ebuilds or continuous multilib ebuilds.

In other words, instead of:

  dev-foo/bar[${MULTILIB_USEDEP}]

you use:

  >=dev-foo/bar-${BAR_PV}[${MULTILIB_USEDEP}]

where ${BAR_PV} is chosen so that either:

a) all ebuilds >= ${BAR_PV} are EAPI=5 or newer,

b) all ebuilds >= ${BAR_PV} are multilib.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2014-06-18 18:42:20 UTC
Ah, the script to fix dependencies lives at:

https://bitbucket.org/mgorny/multilib-dep-fixor/src

It's pretty limited but it should handle most of the wrongdoings.
Comment 2 orionbelt2 2014-06-19 10:19:19 UTC
Could someone who knows please check whether comment #19 in bug #471300 might be related to this bug?

https://bugs.gentoo.org/show_bug.cgi?id=471300#c19
Comment 3 Luke-Jr 2015-07-07 20:59:16 UTC
This appears to break the ability to downgrade to openssl-1.0.0r (unaffected by non-disclosed vulnerability present in all versions of 1.0.1). Any way to resolve this cleanly?
Comment 4 Pacho Ramos gentoo-dev 2015-07-08 18:47:47 UTC
I think you are hitting bug 467774