On 06/30/2015 11:25 AM, Michael Orlitzky wrote: > On 06/30/2015 02:12 PM, Zac Medico wrote: >> >>> Suppose ten years from now everything is written in Go. I have 500 >>> statically linked Go packages on my system, all of whose dependencies >>> were built and compiled-in at install time. Now someone finds a remote >>> root vulnerability in the go-openssl library. I know some of the >>> packages I have installed were built against it. What do I do? >> >> Use slot-operator := deps, together with the emerge --with-bdeps=y >> option. Then, if you bump the sub-slot of the go-openssl library, all of >> your go packages that have it in DEPEND with a slot-operator := >> dependency will be rebuilt automatically. >> > > Right, and now what if go-openssl was built on-the-fly 500 times and > there's no package for it?
Yeah that's obviously sub-optimal, and it's the reason why I created the dev-go/* ebuilds. However, we may want to distinguish between libraries that would only have a single consumer and libraries that would have multiple consumers. Using the same rules regardless of the number of consumers is not necessarily optimal. -- Thanks, Zac
