Re: [gentoo-dev] Portage 2.0.51 comments/questions

[Chris Gianelloni <wolf31o2@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 3097 bytes --]

On Sun, 2004-09-26 at 23:52, Duncan wrote:
> OK, I've been running portage 2.0.51-whatever for several releases, and
> it's certainly beginning to shape up nicely!  Here are some
> comments/questions/suggestions, FWTW..
> 
> 1) The new "spinner" is /very/ cool!

New eye candy?

OOh... and how do I view this new whiz-bang feature of portage?

*grin*

> 2) Documentation is coming alone nicely.
> 
> It's nice to see updated 2.0.51 versions of the various man pages, now.
> 
> I'm seeing a couple things missing still, tho.  The main one I noticed was
> the portage (5) manpage doesn't list the new /etc/portage/profile yet. 
> Also, an earlier einfo mentioned /etc/portage/profiles/virtuals while the
> new inject depreciated message mentions
> /etc/portage/profile/package.provided.  I assume these are supposed to
> both be the same dir, but don't know whether it's profile or profiles. 
> Granted, a typo or changed policy is fine, but without documentation
> confirming one or the other as right, I'm left guessing.

profiles

> 3) What about the QA Notices?
> 
> Evidently .51 is rather stricter in some things than .50 and a number of
> things are QA Notices now that were silent, before.  Are things to the
> point where it's worthwhile bugging the various ebuilds that emit these
> notices, illegal eclass inheritance and the like, or are there still
> enough of them it'd just be unnecessary noise?

I think we're getting close to time to start writing bugs for the
ebuilds that don't have them already.  I would think most of the worst
offenders already have bugs.

> What about that security notice I've seen pop up a few times?  Example:
> 
> QA Notice: Security risk /usr/bin/crontab. Please consider relinking with
> 'append-ldflags -Wl,-z,now' to fix.
> 
> What's this mean?  What are the implications?  How do I do that relinking
> if I decide I need to?   Can I fix it by enabling a feature in make.conf
> or do I run a separate command?  Either way, there's not enough info there
> to actually DO it, nor do I even have enough info to rightly evaluate the
> "security risk"!

Actually, that is more a message for the developer.  You can perform the
same function locally with the LDFLAGS variable in your make.conf, but
really the package should be fixed by the developer by adding the
"append-ldflags -Wl,-z,now" to the ebuilds, as stated by the emerge
process.  This has all been since sfperms was added to the default
FEATURES.

> There's simply not enough there to be anything but a teaser, yet it's
> labeled security risk.  Someone's being *MEAN* with their teasing! =:^\

Blame solar... if that doesn't work, blame vapier... I'm sure it is his
fault somehow...

I definitely agree, though.  We shouldn't be spewing out "This could
allow people to own your box" messages without spewing out "...and
here's how to fix it" messages that are just as easy to understand.

-- 
Chris Gianelloni
Release Engineering - Operations/QA Manager
Games - Developer
Gentoo Linux

Is your power animal a penguin?

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]