[gentoo-dev] Removing 'selinux? ( sec-policy/selinux-*)' from DEPEND

[gentoo-dev] Removing 'selinux? ( sec-policy/selinux-*)' from DEPEND

[Sven Vermeulen]

tldr; I want to remove USE="selinux" deps from DEPEND in
non-libselinux-linking packages in a sane manner and use a bug tracker with
6 months timeframe.

Hi all

In the past, to enable proper SELinux support in our tree, we had to have
the appropriate SELinux policy modules installed and loaded before the
package/application for which the policy was designed is merged to the
system. The reason is that otherwise the files installed on the system will
have the wrong labels assigned, making the applications unable to function
properly.

We implemented this by having the USE="selinux" triggered dependency in both
DEPEND (needed before merge) and RDEPEND (policy needs to be available
during runtime), like so:

DEPEND="selinux? ( sec-policy/selinux-somepolicy )"
RDEPEND="selinux? ( sec-policy/selinux-somepolicy )"

Recently, we updated the SELinux eclass so that after installation of a
policy package, the reverse dependencies of that package are looked up and
those reverse dependencies are relabeled (i.e. proper SELinux labels are
assigned to the files of that package).

With this change, we implement the same end result (correctly labeled files
after installation) while removing the need for the DEPEND dependency. After
all, this was not a build-time dependency but a "merge-time" one, which we
abused a bit to make things work.

With this change in place, we can now update the tree (at least, for those
packages that do not have other SELinux related dependency requirements -
those that link with libselinux still need it in DEPEND of course) to remove
the USE="selinux" conditional dependency from DEPEND.

Given the discussion on dynamic dependencies and so, I am thinking about
doing this as follows:

1. Create a tracker with separate bugs for every package where this change
   can be made
2. Give developers time to apply this (simple) change together with whatever
   other changes they were planning.
3. After 6 months or so, do the change myself (with revbump)

I don't think it is useful for end users that I do the change immediately as
this creates package bumps (and rebuilds) with no real benefit, and not
bumping is also not a good idea given the discussion on dynamic dependencies
in the past.

By providing a 6-months period, developers can put in this change when they
are bumping the package themselves (for functional and other reasons) and
the bugs (with tracker) allow developers to not forget this.

Is this a good approach to take?

Happy to hear your thoughts on this,

	Sven Vermeulen

Re: [gentoo-dev] Removing 'selinux? ( sec-policy/selinux-*)' from DEPEND

[Tom Wijsman]

[-- Attachment #1: Type: text/plain, Size: 1473 bytes --]

On Fri, 29 Aug 2014 15:30:29 +0000
Sven Vermeulen <swift@gentoo.org> wrote:

> [...]
> 
> With this change, we implement the same end result (correctly labeled
> files after installation) while removing the need for the DEPEND
> dependency. After all, this was not a build-time dependency but a
> "merge-time" one, which we abused a bit to make things work.
> 
> With this change in place, we can now update the tree (at least, for
> those packages that do not have other SELinux related dependency
> requirements - those that link with libselinux still need it in
> DEPEND of course) to remove the USE="selinux" conditional dependency
> from DEPEND.
> 
> Given the discussion on dynamic dependencies and so, I am thinking
> about doing this as follows:
> 
> 1. Create a tracker with separate bugs for every package where this
> change can be made
> 2. Give developers time to apply this (simple) change together with
> whatever other changes they were planning.
> 3. After 6 months or so, do the change myself (with revbump)
> 
> [...]
> 
> Is this a good approach to take?
> 
> [...]


LGTM; we should avoid unnecessary bumps & rebuilds for trivial changes,
especially when a USE flag based dependency line is removed from DEPEND.

-- 
With kind regards,

Tom Wijsman (TomWij)
Gentoo Developer

E-mail address  : TomWij@gentoo.org
GPG Public Key  : 6D34E57D
GPG Fingerprint : C165 AF18 AB4C 400B C3D2  ABF0 95B2 1FCD 6D34 E57D

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-dev] Removing 'selinux? ( sec-policy/selinux-*)' from DEPEND

[Sven Vermeulen]

On Mon, Sep 01, 2014 at 11:26:49PM +0200, Tom Wijsman wrote:
> > [...]
> > 
> > With this change, we implement the same end result (correctly labeled
> > files after installation) while removing the need for the DEPEND
> > dependency. After all, this was not a build-time dependency but a
> > "merge-time" one, which we abused a bit to make things work.
> > 
> > With this change in place, we can now update the tree (at least, for
> > those packages that do not have other SELinux related dependency
> > requirements - those that link with libselinux still need it in
> > DEPEND of course) to remove the USE="selinux" conditional dependency
> > from DEPEND.
> > 
> > Given the discussion on dynamic dependencies and so, I am thinking
> > about doing this as follows:
> > 
> > 1. Create a tracker with separate bugs for every package where this
> > change can be made
> > 2. Give developers time to apply this (simple) change together with
> > whatever other changes they were planning.
> > 3. After 6 months or so, do the change myself (with revbump)
> > 
> > [...]
> > 
> > Is this a good approach to take?
> > 
> > [...]
> 
> 
> LGTM; we should avoid unnecessary bumps & rebuilds for trivial changes,
> especially when a USE flag based dependency line is removed from DEPEND.

Michał Górny told me on IRC that I might be approaching this incorrectly (or
at least, inefficiently). I was working on the massive bug-spree (right now
stopped around 22% of the packages to investigate) so I'm temporarily
holding off until I'm certain.

The only change I want to instill on packages is to remove the USE="selinux"
specific dependency to a sec-policy/selinux-* package from the DEPEND
variable. So something like:

 DEPEND="
 	foo
-	bar
-	selinux? ( sec-policy/selinux-bez )"
+ 	bar"

If I am allowed to do this change without revbumping, I can just stop making
massive bug reports and do the change(s) myself...

Someone? Pretty-please?

Wkr,
	Sven Vermeulen

Re: [gentoo-dev] Removing 'selinux? ( sec-policy/selinux-*)' from DEPEND

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 2413 bytes --]

Dnia 2014-11-01, o godz. 12:17:22
Sven Vermeulen <swift@gentoo.org> napisał(a):

> On Mon, Sep 01, 2014 at 11:26:49PM +0200, Tom Wijsman wrote:
> > > [...]
> > > 
> > > With this change, we implement the same end result (correctly labeled
> > > files after installation) while removing the need for the DEPEND
> > > dependency. After all, this was not a build-time dependency but a
> > > "merge-time" one, which we abused a bit to make things work.
> > > 
> > > With this change in place, we can now update the tree (at least, for
> > > those packages that do not have other SELinux related dependency
> > > requirements - those that link with libselinux still need it in
> > > DEPEND of course) to remove the USE="selinux" conditional dependency
> > > from DEPEND.
> > > 
> > > Given the discussion on dynamic dependencies and so, I am thinking
> > > about doing this as follows:
> > > 
> > > 1. Create a tracker with separate bugs for every package where this
> > > change can be made
> > > 2. Give developers time to apply this (simple) change together with
> > > whatever other changes they were planning.
> > > 3. After 6 months or so, do the change myself (with revbump)
> > > 
> > > [...]
> > > 
> > > Is this a good approach to take?
> > > 
> > > [...]
> > 
> > 
> > LGTM; we should avoid unnecessary bumps & rebuilds for trivial changes,
> > especially when a USE flag based dependency line is removed from DEPEND.
> 
> Michał Górny told me on IRC that I might be approaching this incorrectly (or
> at least, inefficiently). I was working on the massive bug-spree (right now
> stopped around 22% of the packages to investigate) so I'm temporarily
> holding off until I'm certain.
> 
> The only change I want to instill on packages is to remove the USE="selinux"
> specific dependency to a sec-policy/selinux-* package from the DEPEND
> variable. So something like:
> 
>  DEPEND="
>  	foo
> -	bar
> -	selinux? ( sec-policy/selinux-bez )"
> + 	bar"
> 
> If I am allowed to do this change without revbumping, I can just stop making
> massive bug reports and do the change(s) myself...

You should have emphasized that the dependency will still be
in RDEPEND. As I said with QA hat on, such a change is fine since it
affects build-time dependencies only. People who installed the package
already are not affected.

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 949 bytes --]

Re: [gentoo-dev] Removing 'selinux? ( sec-policy/selinux-*)' from DEPEND

[Sven Vermeulen]

On Sat, Nov 01, 2014 at 01:52:57PM +0100, Michał Górny wrote:
> > Michał Górny told me on IRC that I might be approaching this incorrectly (or
> > at least, inefficiently). I was working on the massive bug-spree (right now
> > stopped around 22% of the packages to investigate) so I'm temporarily
> > holding off until I'm certain.
> > 
> > The only change I want to instill on packages is to remove the USE="selinux"
> > specific dependency to a sec-policy/selinux-* package from the DEPEND
> > variable. So something like:
> > 
> >  DEPEND="
> >  	foo
> > -	bar
> > -	selinux? ( sec-policy/selinux-bez )"
> > + 	bar"
> > 
> > If I am allowed to do this change without revbumping, I can just stop making
> > massive bug reports and do the change(s) myself...
> 
> You should have emphasized that the dependency will still be
> in RDEPEND. As I said with QA hat on, such a change is fine since it
> affects build-time dependencies only. People who installed the package
> already are not affected.

Thanks. I'll do the necessary updates tomorrow then (without revbump) and invalidate
the bug reports I already made.

Wkr,
	Sven Vermeulen

Re: [gentoo-dev] Removing 'selinux? ( sec-policy/selinux-*)' from DEPEND

[Rick "Zero_Chaos" Farina]

[-- Attachment #1: Type: text/plain, Size: 1655 bytes --]

On 11/01/2014 03:36 PM, Sven Vermeulen wrote:
> On Sat, Nov 01, 2014 at 01:52:57PM +0100, Michał Górny wrote:
>>> Michał Górny told me on IRC that I might be approaching this incorrectly (or
>>> at least, inefficiently). I was working on the massive bug-spree (right now
>>> stopped around 22% of the packages to investigate) so I'm temporarily
>>> holding off until I'm certain.
>>>
>>> The only change I want to instill on packages is to remove the USE="selinux"
>>> specific dependency to a sec-policy/selinux-* package from the DEPEND
>>> variable. So something like:
>>>
>>>  DEPEND="
>>>  	foo
>>> -	bar
>>> -	selinux? ( sec-policy/selinux-bez )"
>>> + 	bar"
>>>
>>> If I am allowed to do this change without revbumping, I can just stop making
>>> massive bug reports and do the change(s) myself...
>>
>> You should have emphasized that the dependency will still be
>> in RDEPEND. As I said with QA hat on, such a change is fine since it
>> affects build-time dependencies only. People who installed the package
>> already are not affected.
> 
> Thanks. I'll do the necessary updates tomorrow then (without revbump) and invalidate
> the bug reports I already made.

<hat=QA>
Just since you poked me on irc and I tend to yell at anyone who breaks
to dep tree by making RDEPEND changes without revbump....

I agree with mgorny.  I don't believe this change will cause any issues
with the dep tree for people who aren't, or cannot, run dynamic deps.

Please proceed to make your changes as desired, without revbump, and you
may close your bugs.

Thanks,
Zero</hat>
> 
> Wkr,
> 	Sven Vermeulen
> 
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 884 bytes --]