On 4/1/20 11:49 AM, Alec Warner wrote: > Imagine a common dep (CommonFoo-x-y-z) > has a security problem, so we must upgrade to CommonFoo-y-z. In the > scenario where CommonFoo is a dynamically linked package we can > recompile it once[4] and new consumers will just use the new dynamic > shared object. In a bundling scenario, we will be forced to rebuild[5] > all consumers.
This is highly euphemistic. What actually happens is: someone discovers a security issue in a Go library. That library is not "in" Gentoo, because it only ever appears in a string inside of another ebuild that bundles everything. Thereafter, a whole lot of nothing happens. Users remain vulnerable "forever," until some other unrelated event causes both the ebuild and its dependency to be updated. Your license scenario is also wishful thinking. All of the LICENSE bugs reported when this eclass was proposed have been sitting open for six months. As soon as the eclass was committed, that shit went out the door and the developers moved on to make more money at our expense. You got scammed.
