On 4/3/24 11:30 AM, Eddie Chapman wrote:
> Just to report I've been able to remove app-arch/xz-utils from my own
> workstation, with 2412 packages installed and running kde. I'm going to
> roll it out to my other gentoo systems which have a lot less stuff on them
> so am confident will be fine. It's not completely trivial but not as
> difficult as I imagined it to be, certainly something an advance Gentoo
> user could do if they wanted, with instructions. It does involve a
> relatively small hack and functionality previously provided by xz-utils is
> replaced by app-arch/p7zip.


I'd just like to clarify my previous posts: what you're describing here
is neat and productive and valid to my eyes. Actually, I wish this had
been the topic of the *first* post in this thread. :)

Replacing implementations has several great uses. There's some prior art
in make.conf, but it doesn't go far enough:

PORTAGE_BZIP2_COMMAND
BINPKG_COMPRESS
BINPKG_COMPRESS_FLAGS

Disregarding the security component entirely, one might wish to use pixz
or pigz instead of the default programs. Why not 7zip as well?

In terms of security, this suggests an easy and simple way both to allow
users to depclean xz-utils without sacrificing the ability to install
packages using *.tar.xz sources, and for Gentoo to roll out an update
that would do this distribution-wide if necessary via a trivial
configuration change.


https://dev.gentoo.org/~ulm/pms/head/pms.html#section-12.3.15 may need
updating to allow this. But it seems very valid to propose doing exactly
that. I am not sure why it specifies e.g. "must ensure that GNU gzip"
with heavy ties to implementations, when it doesn't specify such for
compression.

I'm guessing what you did was override/hook the unpack phase helper
function and divert it to 7zip instead. ;) It would be interesting to
have actual hooks for that instead.





-- 
Eli Schwartz