# best practices for security updates?

## back40

I used to use Gentoo a while back and keep wanting to come back.  One concern I had was about how to keep my system up-to-date.  

If I understand correctly, Gentoo is a rolling release, so packages are updated continuously and not a regular full release every 6 month type of thing.  The concern I have is that I've found FAQs and wikis that imply people simply update their portage tree, then run glsacheck and update only those packages.  Couldn't this potentially lead to an unstable system?  

If the glsacheck led me to update a package which then had to bring in an update to a dependency, other packages that use that same dependency could now be broken due to the new version.  It seems the only appropriate usage is what I essentially used to have to do when I was using Arch - update the package list, then update all packages in the system.

This would also apply to anything - not just security updates.  If I wanted the latest version of firefox, I'd need to update my portage tree.  At this point, I really should emerge world because if I only install the new firefox, I could be bringing in other dependencies that could make the system inconsistent.

Am I correct about this or am I not thinking about this right?  Maybe dependency checking/installation works differently than in Arch so it's not so much of an issue?

thanks for any suggestions you might have.

----------

## Hypnos

You have the basic idea.  If you upgrade some deep dependency, the packages depending on it may themselves need to be updated.

First, Gentoo developers recommend that you upgrade all packages in your systems at once, like on Arch.  This is the obvious way to solve your problem.  After doing the global upgrade, run the script "revdep-rebuild" to identify and rebuild packages with broken library link.

Second, if you don't want to do that, you can just update the packages with security alerts, then revdep-rebuild.  Note, however, that this script won't catch broken runtime dependencies in Xorg, Python, Java, etc. that the developers may have missed.  Gentoo devs work primarily with the latest versions in Portage, so the risk is higher of some weirdness if you upgrade only deep deps.

I myself only upgrade individual packages, and only when the package disappears from Portage or there is a security alert.  My only screw-up in this practice involved "slots" (more here).

HTH.

----------

