From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 25700 invoked from network); 27 Sep 2004 21:48:21 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 27 Sep 2004 21:48:21 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CC3M5-0006ik-7Y for arch-gentoo-dev@lists.gentoo.org; Mon, 27 Sep 2004 21:48:21 +0000 Received: (qmail 10776 invoked by uid 89); 27 Sep 2004 21:47:50 +0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 31172 invoked from network); 27 Sep 2004 21:47:49 +0000 From: Chris Gianelloni Reply-To: wolf31o2@gentoo.org To: gentoo-dev@lists.gentoo.org In-Reply-To: References: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-pvU6BuyS7yKD0oPJMfql" Organization: Gentoo Linux Message-Id: <1096321571.15324.16.camel@cgianelloni.nuvox.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Mon, 27 Sep 2004 17:46:11 -0400 Subject: Re: [gentoo-dev] Portage 2.0.51 comments/questions X-Archives-Salt: 8b709286-9129-4eec-8415-8c5e3c5f0b21 X-Archives-Hash: 847eda79313ff36227000182999a92a0 --=-pvU6BuyS7yKD0oPJMfql Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sun, 2004-09-26 at 23:52, Duncan wrote: > OK, I've been running portage 2.0.51-whatever for several releases, and > it's certainly beginning to shape up nicely! Here are some > comments/questions/suggestions, FWTW.. >=20 > 1) The new "spinner" is /very/ cool! New eye candy? OOh... and how do I view this new whiz-bang feature of portage? *grin* > 2) Documentation is coming alone nicely. >=20 > It's nice to see updated 2.0.51 versions of the various man pages, now. >=20 > I'm seeing a couple things missing still, tho. The main one I noticed wa= s > the portage (5) manpage doesn't list the new /etc/portage/profile yet.=20 > Also, an earlier einfo mentioned /etc/portage/profiles/virtuals while the > new inject depreciated message mentions > /etc/portage/profile/package.provided. I assume these are supposed to > both be the same dir, but don't know whether it's profile or profiles.=20 > Granted, a typo or changed policy is fine, but without documentation > confirming one or the other as right, I'm left guessing. profiles > 3) What about the QA Notices? >=20 > Evidently .51 is rather stricter in some things than .50 and a number of > things are QA Notices now that were silent, before. Are things to the > point where it's worthwhile bugging the various ebuilds that emit these > notices, illegal eclass inheritance and the like, or are there still > enough of them it'd just be unnecessary noise? I think we're getting close to time to start writing bugs for the ebuilds that don't have them already. I would think most of the worst offenders already have bugs. > What about that security notice I've seen pop up a few times? Example: >=20 > QA Notice: Security risk /usr/bin/crontab. Please consider relinking with > 'append-ldflags -Wl,-z,now' to fix. >=20 > What's this mean? What are the implications? How do I do that relinking > if I decide I need to? Can I fix it by enabling a feature in make.conf > or do I run a separate command? Either way, there's not enough info ther= e > to actually DO it, nor do I even have enough info to rightly evaluate the > "security risk"! Actually, that is more a message for the developer. You can perform the same function locally with the LDFLAGS variable in your make.conf, but really the package should be fixed by the developer by adding the "append-ldflags -Wl,-z,now" to the ebuilds, as stated by the emerge process. This has all been since sfperms was added to the default FEATURES. > There's simply not enough there to be anything but a teaser, yet it's > labeled security risk. Someone's being *MEAN* with their teasing! =3D:^\ Blame solar... if that doesn't work, blame vapier... I'm sure it is his fault somehow... I definitely agree, though. We shouldn't be spewing out "This could allow people to own your box" messages without spewing out "...and here's how to fix it" messages that are just as easy to understand. --=20 Chris Gianelloni Release Engineering - Operations/QA Manager Games - Developer Gentoo Linux Is your power animal a penguin? --=-pvU6BuyS7yKD0oPJMfql Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQBBWIojkT4lNIS36YERAuuiAKCvJWMOTIp4Vwk2yw7i1OX0W/lL6gCgup78 uUQlkbSZW177/rcVDwgEhSI= =X40t -----END PGP SIGNATURE----- --=-pvU6BuyS7yKD0oPJMfql--