You see, I’ve become literally scared to update Gentoo. Installing updates on Gentoo is like a challenging puzzle game. Installing Gentoo updates is an NP-hard problem. It is a drain on your time, it’s a family tragedy and it is plain and simple a security threat. But let’s start at the very beginning, when I first saw a Linux thingy at my grad school….
At the beginning, there was Windows 3.11 for Workgroups. The first computers I interacted with ran MS-DOS or Windows 3.11. Then Windows 95, and 98, and finally Windows XP. I thought Windows was all there is.
And then I went to a CS class in college, and wham! Gentoo.
I immediately fell in love with these green [ ok ] marks that show when a portion of the system has comkpleted loading. Unlike the never-ending scrollbar of Windows XP, it fosters immediate connection with the inner workfings of the machine. You feel involved. You feel in the know. You feel powerful.
So when I needed to choose a Linux distro to complete my coursework, it was Gentoo.
The main feature of Gentoo is that you build everything from sources. Nothing connects you to
the inner workings than you literally witnessing the
gcc invocations as they churn through your
kernel you manually configured, through the window manager, or a new version of
right, every single package–including the Kernel–is rebuilt on your local machine. Why?
One tihng, is that you can enable unsafe optimizations and tie everything to your machine. Those
off-the-shelf distros have to work on a number of machines, but with Gentoo, you can compile
gcc -O3 --arch=icore7 -fenable-unsafe-life-choices.
It is insanely satisfying to watch. You haven’t lived if you’ve never seen Linux software compile. If you haven’t seen it, watch it. It’s worth it. It’s like watching fire.
Another selling point, you can disable the features and Reduce Bloat(tm). You don’t want to build a
desktop environment? Fine–all your packages will compile without the GUI bindings. You never use
PHP? Fine, no PHP bindings. You don’t like
bzip2? (Wait, what?) You can disable that too!
You just specify it in the
USE flags in your
USE="-pgp -gtk -qt4 -bzip2", and then when you
emerge your packages, they’ll build without them. (
emerge is the
Awesome. Wait, what did you say about Bzip2? You can compile your system without bzip and only with gzip? Why do you even care? That’s because you’re a college kid with a lot of time on your hands. Emerge on.
So I emerge. Back in 2005, it took really long to compile KDE 3. We would leave it
overnight to compile, and pray that it would not fail because our particular
USE flags selection
didn’t make it fail.
And then you try to update it.
emerge -uDpav, I still remember it. It recompiles all your
… or not. If you somehow forget to update the system (e.g. you leave for a vacation, or your cron crashes) then come back in two weeks and try to update it… it will fail to compile. That’s when you’re introduced to dependency twister.
Since the system is its own build environment, every next version should be buildable on top of the previous version. But sometimes it’s just not. It just doesn’t build. Some library is too old, but in order to compile a new version, you need to downgrade another library. Or worse, build dependencies form loops. Imagine dependency Foo needs a new version of library Bar to compile, and the new version of library Bar requies a new version of Foo–this actually sometimes happens.
Then, you’d have to resolve them by temporarily disabling or re-enabling
USE flags. Or randomly
rebuilding subsets of your packages (via helper tools like
revdep-rebuild). Or applying the
updates in the correct order, but you need to figure out the order first.
It’s 2017 and you still have to do it; nothing changed.
As a result, your system quickly rots and becomes a security hazard. A computer that hasn’t been
updated for years, and is open to the network is a security risk. My access logs showed that
automated bots were constantly trying to hack the website (polling URLs like
So that’s it. Unless the system can security updates quickly and reliably, it’s a security
hazard. Gentoo can not.
I got tired playing dependency twister around the time I graduated. Also, I got tired of trying to update Ruby’s ActiveRecord every now and then. Nothing like doing this for several years, I really makes you appreciate App Engine and simialr products.
So I bid Gentoo farewell and moved on. I moved on to Whatever Linux that makes my Docker Containers up to date… which is now I believe Ubuntu? I don’t really know and I no longer care.
Good bye, [ ok ]. I will miss you.
Author Paul Shved
Modified January 25, 2018
License CC BY-SA 3.0