On Wed, 8 Apr 2020 17:39:54 +0000 Peter Stuge <pe...@stuge.se> wrote:
> E.g. for auditing the installed values of these could be worth a lot. Only as far as analyising "why was this package installed, currently the metadata says its un-audited!". But for things like "affected by CVE/Bug", the very nature of those is they're often post-install metadata, so one should not be required to change an ebuild and reinstall the ebuild if that metadata has to change. And say, if a currently installed package had its "audit check marker" removed from the metadata, portage should react to that immediately and treat the installed package as bad. The "what was the metadata when this package was installed" would only help portage clarify the output message.
pgpSNSjOkuiFo.pgp
Description: OpenPGP digital signature
