On Thu, Sep 12, 2019 at 5:11 PM Michael Orlitzky <m...@gentoo.org> wrote: > > On 9/12/19 1:43 PM, Mike Gilbert wrote: > > > > They do "go away" if you pass the right options to emerge, or if you > > install it from a binpkg in the first place. > > > > The dependencies are statically linked into the final executable forever > and receive no security updates. Portage doesn't even know they're > there. Depclean doesn't do what you think it does in that case. (I'm > sure you personally understand how this works, but a regular user has no > idea that we've installed 100MB of vulnerable code on his machine and > have just abandoned it there.)
Putting the dependencies in RDEPEND means users get stuck with yet another copy of the code installed, in addition to the copy that is statically linked into all reverse dependencies. It's not a very good solution to the problem.
