From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9F9591396D0 for ; Tue, 29 Aug 2017 09:21:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9449B1FC05D; Tue, 29 Aug 2017 09:21:36 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4C2921FC005 for ; Tue, 29 Aug 2017 09:21:36 +0000 (UTC) Received: from katipo2.lan (unknown [203.86.205.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: kentnl) by smtp.gentoo.org (Postfix) with ESMTPSA id 91C6C33BE4E for ; Tue, 29 Aug 2017 09:21:34 +0000 (UTC) Date: Tue, 29 Aug 2017 21:21:09 +1200 From: Kent Fredric To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: Guidelines for dangerous USE flags Message-ID: <20170829211332.61f19e10@katipo2.lan> In-Reply-To: References: <17347fd7-d6ed-4c08-8d02-24df9237b576@gentoo.org> <20170822173751.GA18719@gentoo.org> Organization: Gentoo X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/_Vno2ogi.OnWsqI92WJiC.P"; protocol="application/pgp-signature" X-Archives-Salt: 787991fe-1f95-450c-91fb-4d6471004c25 X-Archives-Hash: 7e5a0af1b8a1523b05179d54791863d3 --Sig_/_Vno2ogi.OnWsqI92WJiC.P Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Thu, 24 Aug 2017 03:06:13 +0000 (UTC) Duncan <1i5t5.duncan@cox.net> wrote: > nrpe-command-args-SECURITY-HOLE > or just > nrpe-GAPING-SECURITY-HOLE That's probably excessive, if you set that USE flag globally, you deserve what you get. And if you are responsible and you know what you're getting, then you should be allowed to do that ( even though I struggle to understand why ) For everything else there are etc/portage/package.use Or maybe it could be a required-use: REQUIRED_USE=3D"nrpe? ( GAPING_SECURITY_HOLE )" Alternatively, you could have a pkg_pretend like: pkg_pretend() { if [[use nrpe && ! has "${CATEGORY}/${PN}" "${GAPING_SECURITY_HOLE}" ]];= then einfo "nrpe feature introduces a security risk where in blah blah" einfo " blah, please read https://wiki.gentoo.org/etc/etc for" einfo " details and how to enable this" die "Security Hole Not Permitted" fi } But I say that only because current REQUIRED_USE feature makes it nigh impossible to understand from a human perspective what that assertion means. --Sig_/_Vno2ogi.OnWsqI92WJiC.P Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEPZazbI/qrFT1o9rn6FQySxNmqCAFAlmlMhIACgkQ6FQySxNm qCDmdQ//agWzZWlQ7oMTp3mgv9jKNIod4m5D+iyfKqehDD7xw25RoLthtlbNknz/ sykH8wbRz5b/I3TKUa1MFJcKfcMeeRGyjYWzJdVLH5ornKb9Ffz60ydCxCpdkIOo OochAVSx/8Vx2jNtG7eXV+DGYdosLXFvDOJzr/YoMCqY3GBi/R/c2LoN8Js1mDGU G0IFDQDlyYJgg785+Cl6J2OpbGHFWyTKCO4oznu0LVnye4wB16KeFDf7yoHMJf7x HvjJI0aIRB0+R9fmA3EIOhyPBJvtvOM/30Lg35rMIqjfYyLRn1BEwDUwF4Dt6VDg TdjkWSF2AOdCOtsEK1OUabzxbfCNkGaIoe3ZU/j+0ZnS5DlamlCUfqM68w1XQvRl /BBuNVSda+a7fPFQIBAPYYhtYyN5JW687w7NOKRX2i3nw5vLZBEtThMq6DOjg6io QqqM7Nk/dWLKTuojCVUFXaxsisaQpQfNqgDaspEJcbvtkcHbsAjZOFFjJSLGQ8KK 930i5lWVlpB1ZpBY0cvx4zqP9yq5hP2pWThQ54OYglNLOri6d1m99l5l5PM6hyLL ymabEl7TjgEwh6uUn5RW0jnPLoiRiTnzY805+C7uSSPdUar/11S5cNIV/o5Yx9hK MFMsv8SEjbQr/Jq6EcAWkhFgMVEX8QBVuCAcMgnRNZryERzIFq8= =j7Hk -----END PGP SIGNATURE----- --Sig_/_Vno2ogi.OnWsqI92WJiC.P--