[gentoo-dev] Policy regarding enabling IUSE defaults application in ebuild

[gentoo-dev] Policy regarding enabling IUSE defaults application in ebuild

[Maciej Mrozowski]

[-- Attachment #1: Type: text/plain, Size: 2414 bytes --]

Hi

I'd like to raise your attention on problem of in my opinion overusing IUSE 
defaults in various packages.
Currently there seems to be no policy whatsoever at least advising when it's 
appropriate to add +<useflag> and when not, so it's just up to developer's 
taste.
While it usually doesn't do any particular harm (but I guess security and 
prefix/alt team won't agree on this) - insanely enabling everything by default 
is not the best idea in my opinion.
Of course we need an example. Let's have a look at latest stable media-
video/mplayer-1.0_rc2_p20090322 ebuild:

IUSE="3dnow 3dnowext +a52 +aac aalib +alsa altivec +amrnb +amrwb arts +ass
bidi bindist bl +cddb +cdio cdparanoia -cpudetection -custom-cflags
-custom-cpuopts debug dga +dirac directfb doc +dts +dv dvb +dvd +dvdnav dxr3
+enca +encode esd +faac +faad fbcon ftp gif ggi -gtk +iconv ipv6 jack
joystick jpeg kernel_linux ladspa libcaca lirc +live lzo mad md5sum +mmx
mmxext mng +mp2 +mp3 musepack nas +nemesi +network openal +opengl oss png pnm
pulseaudio pvr +quicktime radio +rar +real +rtc -samba
+schroedinger sdl +speex sse sse2 ssse3 svga teletext tga +theora +tremor
+truetype +unicode v4l v4l2 vdpau vidix +vorbis -win32codecs +X +x264 xanim
xinerama +xscreensaver +xv +xvid xvmc zoran"

Personally I'd really like to hear some explanation from maintainers about the 
reasons mplayer needs all those dependencies or why they are *really* 
recommended for every user of *any* profile (let me remind this).

But thats's not the point - the point is, Gentoo probably needs some policy to 
advise, when some newly added USE flags are appropriate to be enabled by 
default.

I suggest as follows:
- When newly added USE flag makes already provided feature optional - needs to 
be enabled by default (this is required to make package feature set somewhat 
invariant after update)
- When newly added USE flag adds new feature that is considered very common 
(that's tricky part and decision should be always made by herd, not individual 
developer) *but* *does* *not* *pull* *any* *dependencies* - enable by default
- in any other case *do* *not* *enable* by default - (why? because "I use it 
so I'll enable it by default" is not enough of an explanation)

What's the opinion on that? I guess we need some policy or at least some 
suggestion mentioned in devmanual - really..

-- 
regards
MM

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Policy regarding enabling IUSE defaults application in ebuild

[Mike Frysinger]

On Monday 08 June 2009 16:12:23 Maciej Mrozowski wrote:
> I'd like to raise your attention on problem of in my opinion overusing IUSE
> defaults in various packages.
> Currently there seems to be no policy whatsoever at least advising when
> it's appropriate to add +<useflag> and when not, so it's just up to
> developer's taste.

the loose policy is to have the defaults follow what upstream intended.  
otherwise, it is left up to the maintainer on purpose -- they're supposed to 
know best.

> While it usually doesn't do any particular harm (but I guess security and
> prefix/alt team won't agree on this) - insanely enabling everything by
> default is not the best idea in my opinion.
> Of course we need an example. Let's have a look at latest stable media-
> video/mplayer-1.0_rc2_p20090322 ebuild:

mplayer and friends is a bad example.  upstream wants a lot of things enabled 
by default.

> But thats's not the point - the point is, Gentoo probably needs some policy
> to advise, when some newly added USE flags are appropriate to be enabled by
> default.

we already have one
-mike

Re: [gentoo-dev] Policy regarding enabling IUSE defaults application in ebuild

[Robert Buchholz]

[-- Attachment #1: Type: text/plain, Size: 2851 bytes --]

On Monday 08 June 2009, Maciej Mrozowski wrote:
...
> While it usually doesn't do any particular harm (but I guess security
> and prefix/alt team won't agree on this) - insanely enabling
> everything by default is not the best idea in my opinion.

The Security Team supports all use flag combinations, even those not 
enabled by default. Masked use flags are not supported. As far as 
proactively disabling certain codecs go, that certainly exploits of 
certain (disabled) codecs. However, if the user was tricked into 
downloading a file and will see that he cannot play it due to a missing 
codec, he might just enable that use flag and rety.
The only way to be safe is to minimize the untrusted input to your 
application, keep it updated, and employ other means of hardening 
(privilege separation).

> Of course we need an example. Let's have a look at latest stable
> media- video/mplayer-1.0_rc2_p20090322 ebuild:
...
> Personally I'd really like to hear some explanation from maintainers
> about the reasons mplayer needs all those dependencies or why they
> are *really* recommended for every user of *any* profile (let me
> remind this).

You should see the list of referenced bug reports in the ChangeLog for 
an explanation: https://bugs.gentoo.org/show_bug.cgi?id=260588

As stated there, all internally supported codecs are enabled, and only 
very few default USE flags require external deps.

> But thats's not the point - the point is, Gentoo probably needs some
> policy to advise, when some newly added USE flags are appropriate to
> be enabled by default.
>
> I suggest as follows:
> - When newly added USE flag makes already provided feature optional -
> needs to be enabled by default (this is required to make package
> feature set somewhat invariant after update)
> - When newly added USE flag adds new feature that is considered very
> common (that's tricky part and decision should be always made by
> herd, not individual developer) *but* *does* *not* *pull* *any*
> *dependencies* - enable by default - in any other case *do* *not*
> *enable* by default - (why? because "I use it so I'll enable it by
> default" is not enough of an explanation)
>
> What's the opinion on that? I guess we need some policy or at least
> some suggestion mentioned in devmanual - really..

I am in favor of applying common sense (hah!). An application (and an 
OS, in general) in the default config should run the common use cases, 
and some more. It's just as easy to remove a use flag as it is to 
enable it.
And personally, I hate having to enable USE=png on all my desktop 
machines so I can use a desktop background. Just as much as I hate 
downloading some video and realizing I forgot to add USE=schroedinger 
for mplayer, and then wait for a recompile before the fun.


Robert

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] Policy regarding enabling IUSE defaults application in ebuild

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 228 bytes --]

On Monday 08 June 2009 18:25:18 Robert Buchholz wrote:
> And personally, I hate having to enable USE=png on all my desktop
> machines so I can use a desktop background

eh ?  USE=png is in all default desktop profiles ...
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] Policy regarding enabling IUSE defaults application in ebuild

[Robert Buchholz]

[-- Attachment #1: Type: text/plain, Size: 355 bytes --]

On Tuesday 09 June 2009, Mike Frysinger wrote:
> On Monday 08 June 2009 18:25:18 Robert Buchholz wrote:
> > And personally, I hate having to enable USE=png on all my desktop
> > machines so I can use a desktop background
>
> eh ?  USE=png is in all default desktop profiles ...

You are correct, I should choose my examples better. Good default.


Robert

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] Policy regarding enabling IUSE defaults application in ebuild

[Jeremy Olexa]

Maciej Mrozowski wrote:

> While it usually doesn't do any particular harm (but I guess security and 
> prefix/alt team won't agree on this) - insanely enabling everything by default 

The Prefix team does not care either way.

> is not the best idea in my opinion.
> Of course we need an example. Let's have a look at latest stable media-
> video/mplayer-1.0_rc2_p20090322 ebuild:
> 
> IUSE="3dnow 3dnowext +a52 +aac aalib +alsa altivec +amrnb +amrwb arts +ass
> bidi bindist bl +cddb +cdio cdparanoia -cpudetection -custom-cflags
> -custom-cpuopts debug dga +dirac directfb doc +dts +dv dvb +dvd +dvdnav dxr3
> +enca +encode esd +faac +faad fbcon ftp gif ggi -gtk +iconv ipv6 jack
> joystick jpeg kernel_linux ladspa libcaca lirc +live lzo mad md5sum +mmx
> mmxext mng +mp2 +mp3 musepack nas +nemesi +network openal +opengl oss png pnm
> pulseaudio pvr +quicktime radio +rar +real +rtc -samba
> +schroedinger sdl +speex sse sse2 ssse3 svga teletext tga +theora +tremor
> +truetype +unicode v4l v4l2 vdpau vidix +vorbis -win32codecs +X +x264 xanim
> xinerama +xscreensaver +xv +xvid xvmc zoran"
> 
> Personally I'd really like to hear some explanation from maintainers about the 
> reasons mplayer needs all those dependencies or why they are *really* 
> recommended for every user of *any* profile (let me remind this).
> 
> But thats's not the point - the point is, Gentoo probably needs some policy to 
> advise, when some newly added USE flags are appropriate to be enabled by 
> default.
> 
> I suggest as follows:
> - When newly added USE flag makes already provided feature optional - needs to 
> be enabled by default (this is required to make package feature set somewhat 
> invariant after update)
> - When newly added USE flag adds new feature that is considered very common 
> (that's tricky part and decision should be always made by herd, not individual 
> developer) *but* *does* *not* *pull* *any* *dependencies* - enable by default
> - in any other case *do* *not* *enable* by default - (why? because "I use it 
> so I'll enable it by default" is not enough of an explanation)
> 
> What's the opinion on that? I guess we need some policy or at least some 
> suggestion mentioned in devmanual - really..

IUSE defaults or USE defaults in profiles..Either way...someone will 
complain. This is why you can disable flags in package.use, *or* select 
a non-desktop profile. meh..

-Jeremy

Re: [gentoo-dev] Policy regarding enabling IUSE defaults application in ebuild

[Federico Ferri]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maciej Mrozowski wrote:
> Hi
>
> I'd like to raise your attention on problem of in my opinion overusing
IUSE
> defaults in various packages.
> Currently there seems to be no policy whatsoever at least advising when
it's
> appropriate to add +<useflag> and when not, so it's just up to developer's
> taste.
> While it usually doesn't do any particular harm (but I guess security and
> prefix/alt team won't agree on this) - insanely enabling everything by
default
> is not the best idea in my opinion.
> Of course we need an example. Let's have a look at latest stable media-
> video/mplayer-1.0_rc2_p20090322 ebuild:
>
> IUSE="3dnow 3dnowext +a52 +aac aalib +alsa altivec +amrnb +amrwb arts +ass
> bidi bindist bl +cddb +cdio cdparanoia -cpudetection -custom-cflags
> -custom-cpuopts debug dga +dirac directfb doc +dts +dv dvb +dvd +dvdnav
dxr3
> +enca +encode esd +faac +faad fbcon ftp gif ggi -gtk +iconv ipv6 jack
> joystick jpeg kernel_linux ladspa libcaca lirc +live lzo mad md5sum +mmx
> mmxext mng +mp2 +mp3 musepack nas +nemesi +network openal +opengl oss
png pnm
> pulseaudio pvr +quicktime radio +rar +real +rtc -samba
> +schroedinger sdl +speex sse sse2 ssse3 svga teletext tga +theora +tremor
> +truetype +unicode v4l v4l2 vdpau vidix +vorbis -win32codecs +X +x264 xanim
> xinerama +xscreensaver +xv +xvid xvmc zoran"


moreover, there are certain USE flags that do not make sense in
IUSE="+<flag>".
for example alsa: if I use alsa, I want alsa globally enable in
/etc/make.conf
if I not use it (e.g. not in my profile) why should I explicitly put
- -alsa in $USE?
this may lead to an explosion of -<flag> flags in $USE.

probably this example falls back into the "flag which pulls
dependencies" case, but it is one more argument.


configure scripts already have default values for the configure
switches, and ebuilds should try to follow the defaults by putting
+<flag> where needed, but with some exceptions (maybe on a
flag-by-flag basis, or -more generally- by use-case, like you just wrote)

- --
mescalinum@g.o
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoz2rMACgkQV/B5axfzrPs1dACeKIfPZ6XMRlD4Nf6L5s9WyCw5
uukAoKVmF2OMSykUhKwQ7aR5vR4j/+Nz
=LuUh
-----END PGP SIGNATURE-----