| View previous topic :: View next topic |
| Author |
Message |
honeymak
l33t
Joined: 30 Dec 2002
Posts: 614
|
 Posted: Tue Jun 03, 2025 12:55 am Post subject: spidermonkey or emerge - bug or special handling? |
 |
|
| Code: |
g64 ~ # glsa-check -l
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.
202505-08 [N] Spidermonkey: Multiple Vulnerabilities ( dev-lang/spidermonkey )
g64 ~ # equery l dev-lang/spidermonkey
* Searching for spidermonkey in dev-lang ...
[IP-] [ ] dev-lang/spidermonkey-115.16.0-r1:115
g64 ~ # emerge world -Dupv
These are the packages that would be merged, in order:
Calculating dependencies... done!
Dependency resolution took 66.53 s (backtrack: 0/20).
Total: 0 packages, Size of downloads: 0 KiB
g64 ~ # emerge world -Deupv|grep spidermonkey
[ebuild R ] dev-lang/spidermonkey-115.16.0-r1:115::gentoo USE="jit -clang -debug -lto -test" LLVM_SLOT="18" 0 KiB
g64 ~ # emerge dev-lang/spidermonkey -upv
These are the packages that would be merged, in order:
Calculating dependencies... done!
Dependency resolution took 17.69 s (backtrack: 0/20).
[ebuild N ] dev-util/cbindgen-0.28.0::gentoo USE="-debug -test" 2234 KiB
[ebuild NS ] dev-lang/spidermonkey-128.10.1:128::gentoo [115.16.0-r1:115::gentoo] USE="jit -clang -debug -test (-lto%)" LLVM_SLOT="19%* -17% -18*" 555445 KiB
Total: 2 packages (1 new, 1 in new slot), Size of downloads: 557678 KiB
|
the story is like the following:
step 1. glsa-check
step 2. found spidermonkey
step 3. try to update spidermonkey implicitly hoping world updates
step 4. world has nothing to update
step 5. why spidermonkey has update but not reporting to world updates
_________________
hackers - make sth real
academics - read sth said to be real |
|
| Back to top |
|
 |
Juippisi
Developer
Joined: 30 Sep 2005
Posts: 767
Location: /home
|
| Posted: Tue Jun 03, 2025 5:08 am Post subject: |
|
|
SpiderMonkey is slotted - meaning you can have multiple versions installed at the same time. Some packages still depend on Spidermonkey's :115 slot, pulling 115.16.0-r1. It's pretty bad indeed considering 115 is now 2 years old. Upstreams should try to move to 140 which will be out later this month and skip 128 completely, or we'll be in this same situation again next year.
Usually Mozilla stops updating the ESR branch quite quickly when a new one is released (they do 2-3 releases for the old one), but indeed 115 has been receiving some updates to this very day. I'll take a look about shipping a more recent version in that branch. |
|
| Back to top |
|
|
honeymak
l33t
Joined: 30 Dec 2002
Posts: 614
|
| Posted: Tue Jun 03, 2025 5:14 am Post subject: |
|
|
sorry for that i missed a step to check
| Code: |
emerge spidermonkey -pvac
|
it says dev-libs/gjs requires spidermonkey
gjs is kinda gnome stuff and gnome javascript thingie
hmmmm......does that mean if i don't use gnome anymore then i m free from this?....xp
coz i m looking into very cool dwm or dwl
_________________
hackers - make sth real
academics - read sth said to be real |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23550
|
| Posted: Tue Jun 03, 2025 1:35 pm Post subject: |
|
|
| If you want to remove gjs, then try emerge --ask --verbose --depclean dev-libs/gjs dev-lang/spidermonkey. More generally, keep adding to the --depclean line until either it succeeds, or the next iteration would require removing something you want to keep. However, if your @world set is clean, a bare emerge --ask --depclean should remove everything you don't want. |
|
| Back to top |
|
|
|
Portage & Programming
