From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 93DC41396D0 for ; Tue, 22 Aug 2017 17:37:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 01CB51FC063; Tue, 22 Aug 2017 17:37:53 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AF05A1FC014 for ; Tue, 22 Aug 2017 17:37:52 +0000 (UTC) Received: by smtp.gentoo.org (Postfix, from userid 617) id EDD73341C6A; Tue, 22 Aug 2017 17:37:51 +0000 (UTC) Date: Tue, 22 Aug 2017 17:37:51 +0000 From: Sven Vermeulen To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Guidelines for dangerous USE flags Message-ID: <20170822173751.GA18719@gentoo.org> Mail-Followup-To: gentoo-dev@lists.gentoo.org References: <17347fd7-d6ed-4c08-8d02-24df9237b576@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <17347fd7-d6ed-4c08-8d02-24df9237b576@gentoo.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-Archives-Salt: 5ca8205e-6cbe-4422-b37a-69cbd25b259b X-Archives-Hash: ca978e3a36ccbe9f29195f752e0402b3 On Tue, Aug 22, 2017 at 01:22:51PM -0400, Michael Orlitzky wrote: > The net-analyzer/nrpe package has a ./configure flag: > > --enable-command-args allows clients to specify command arguments. *** > THIS IS A SECURITY RISK! *** Read the SECURITY > file before using this option! > > Back in nrpe-2.x, it was available via USE=command-args, but I dropped > it from nrpe-3.x, and a user just asked about it (bug 628596). There are > at least two things we could do with a dangerous flag like that: > > 1) require EXTRA_ECONF to enable it. > 2) hide it behind a masked USE flag. > > Both options require about the same amount of work from the user, namely > editing something under /etc/portage. What do y'all think is the best > way to proceed? Are there other examples in the tree I could follow? I like the masked USE flag approach. Using EXTRA_ECONF requires a bit more work from the user (not much though) but is less visible afterwards in my opinion. Perhaps a name that implies that there is a security risk could be interesting, but that's a minor suggestion. Is there a way we could somehow ensure that a USE flag is never set globally, but only on a per-package basis? Wkr, Sven Vermeulen