Zac Medico <zmed...@gentoo.org> writes: > On 10/11/2011 10:28 PM, Mike Gilbert wrote: >> Francisco raised a possibly valid point in his original message: though >> packages may not be currently used for anything, but they could contain >> un-patched security flaws. > > If they contain something that's accessed at runtime, then they should > be in RDEPEND or PDEPEND, no exceptions.
But is it not possible that the flaw in the build-time dependency causes an insecurity to be built into the dependent package and that both have to be rebuilt as part of the security fix?
