[gentoo-dev] Portage 2.0.51 comments/questions

[gentoo-dev] Portage 2.0.51 comments/questions

[Duncan]

OK, I've been running portage 2.0.51-whatever for several releases, and
it's certainly beginning to shape up nicely!  Here are some
comments/questions/suggestions, FWTW..

1) The new "spinner" is /very/ cool!

Some of the phrases, however, are a bit difficult to make out, as the
scanning is a bit to fast to read (at least on my dual opteron). Could a
couple more letters be lit up at the same time? Just from observation (not
looking at the code), it appears one letter is lit at "bright", the ones
on each side same color (green), but without the brite attribute. Maybe
make double that to two letters brite, two on each side normal.. or maybe
three. 

Anyway, it's a /very/ cool feature!  Whoever came up with the idea and if
the idea was borrowed from elsewhere, whoever decided it'd be cool for
portage to have it also, I AGREE!  Major kudos!  It immediately impressed
me!

2) Documentation is coming alone nicely.

It's nice to see updated 2.0.51 versions of the various man pages, now.

I'm seeing a couple things missing still, tho.  The main one I noticed was
the portage (5) manpage doesn't list the new /etc/portage/profile yet. 
Also, an earlier einfo mentioned /etc/portage/profiles/virtuals while the
new inject depreciated message mentions
/etc/portage/profile/package.provided.  I assume these are supposed to
both be the same dir, but don't know whether it's profile or profiles. 
Granted, a typo or changed policy is fine, but without documentation
confirming one or the other as right, I'm left guessing.

3) What about the QA Notices?

Evidently .51 is rather stricter in some things than .50 and a number of
things are QA Notices now that were silent, before.  Are things to the
point where it's worthwhile bugging the various ebuilds that emit these
notices, illegal eclass inheritance and the like, or are there still
enough of them it'd just be unnecessary noise?

What about that security notice I've seen pop up a few times?  Example:

QA Notice: Security risk /usr/bin/crontab. Please consider relinking with
'append-ldflags -Wl,-z,now' to fix.

What's this mean?  What are the implications?  How do I do that relinking
if I decide I need to?   Can I fix it by enabling a feature in make.conf
or do I run a separate command?  Either way, there's not enough info there
to actually DO it, nor do I even have enough info to rightly evaluate the
"security risk"!

There's simply not enough there to be anything but a teaser, yet it's
labeled security risk.  Someone's being *MEAN* with their teasing! =:^\

-- 
Duncan - List replies preferred.   No HTML msgs.
"They that can give up essential liberty to obtain a little
temporary safety, deserve neither liberty nor safety." --
Benjamin Franklin



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage 2.0.51 comments/questions

[Anthony Gorecki]

[-- Attachment #1: Type: text/plain, Size: 1457 bytes --]

On Sunday 26 September 2004 8:52 pm, Duncan wrote:
> 1) The new "spinner" is /very/ cool!

I found it annoying, especially on systems that use varying screen 
resolutions; thankfully it doesn't seem to be present in portage-2.0.51-rc5 
and later.


Has anyone else had this version break updates where the distfiles directory 
is contained within a remote Samba share? I receive the following error 
message whenever I attempt to merge a package, and Bugzilla doesn't seem to 
have the issue listed:

entro ~ # emerge vim
Calculating dependencies  ...done!
>>> emerge (1 of 1) app-editors/vim-6.3-r1 to /
*** Adjusting cvs-src permissions for portage user...
Traceback (most recent call last):
  File "/usr/bin/emerge", line 2844, in ?
    mydepgraph.merge(mydepgraph.altlist())
  File "/usr/bin/emerge", line 1737, in merge
    retval=portage.doebuild(y,"merge",myroot,self.pkgsettings,edebug)
  File "/usr/lib/portage/pym/portage.py", line 2370, in doebuild
    if not fetch(fetchme, mysettings, listonly=listonly, fetchonly=fetchonly):
  File "/usr/lib/portage/pym/portage.py", line 1780, in fetch
    portage_locks.unlockfile(file_lock)
  File "/usr/lib/portage/pym/portage_locks.py", line 126, in unlockfile
    raise IOError, "Failed to unlock file '%s'\n" % lockfilename
IOError: Failed to unlock file 
'/usr/portage/distfiles/.locks/vim-6.3.tar.bz2.portage_lockfile'


-- 
Anthony Gorecki
Ectro-Linux Foundation


[-- Attachment #2: Type: application/pgp-signature, Size: 828 bytes --]

Re: [gentoo-dev] Portage 2.0.51 comments/questions

[Mike Frysinger]

On Monday 27 September 2004 12:42 am, Anthony Gorecki wrote:
> Has anyone else had this version break updates where the distfiles
> directory is contained within a remote Samba share?

latest .51 has been getting a lot of lock work; update to rc6 and see if it's 
fixed
-mike

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage 2.0.51 comments/questions

[Anthony Gorecki]

[-- Attachment #1: Type: text/plain, Size: 456 bytes --]

On Monday 27 September 2004 7:14 pm, Mike Frysinger wrote:
> latest .51 has been getting a lot of lock work; update to rc6 and see if
> it's fixed

Unfortunately, I can't upgrade portage-- or anything else. Every emerge 
request fails with a locking error.

I'll revert to a local distfiles directory later tonight, which will hopefully 
solve the problem until the locking issues are resolved.


-- 
Anthony Gorecki
Ectro-Linux Foundation


[-- Attachment #2: Type: application/pgp-signature, Size: 828 bytes --]

Re: [gentoo-dev] Portage 2.0.51 comments/questions

[Stephen P. Becker]

Anthony Gorecki wrote:
> On Monday 27 September 2004 7:14 pm, Mike Frysinger wrote:
> 
>>latest .51 has been getting a lot of lock work; update to rc6 and see if
>>it's fixed
> 
> 
> Unfortunately, I can't upgrade portage-- or anything else. Every emerge 
> request fails with a locking error.
> 
> I'll revert to a local distfiles directory later tonight, which will hopefully 
> solve the problem until the locking issues are resolved.
> 
> 

Run the emerge, then in another terminal (while portage is still 
running), rm /usr/portage/distfiles/.lock/*

That should let it proceed.

Steve


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage 2.0.51 comments/questions

[Mike Frysinger]

On Monday 27 September 2004 10:33 pm, Anthony Gorecki wrote:
> Unfortunately, I can't upgrade portage-- or anything else. Every emerge
> request fails with a locking error.

yes you can, if you cheat :)
DISTDIR=/dev/shm emerge portage
-mike

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage 2.0.51 comments/questions

[Nicholas Jones]

[-- Attachment #1: Type: text/plain, Size: 1764 bytes --]

> 1) The new "spinner" is /very/ cool!

It's been moved to FEATURES="candy"

I was bored while testing NFS locks and whipped that up. Genone has
a multi-character version somewhere. We'll make it prettier later.

I also modified the regular spinner, but nobody watches that one
close enough to actually notice.

--nospinner got updated as well. It now displays 100 updates in a
'.' that gets printed out instead of nothing.


> 2) Documentation is coming alone nicely.
...
> /etc/portage/profiles/virtuals [...]
> /etc/portage/profile/package.provided
> both be the same dir, but don't know whether it's profile or profiles. 
> Granted, a typo or changed policy is fine, but without documentation
> confirming one or the other as right, I'm left guessing.

It's singular. I've updated all the references otherwise.
They'll be in CVS before I post this. They are only in the ebuild
as the plural version.

> 3) What about the QA Notices?
> enough of them it'd just be unnecessary noise?

Occasionally someone notices a problem.
Occasionally someone mentions a problem.
Occasionally*Occasionally someone reports an Occasional problem.

It get fixed faster if everyone is yelling for it to stop.
Fixes by annoyance. Cheap, Easy, and Quick.

> What about that security notice I've seen pop up a few times?  Example:
>
> QA Notice: Security risk /usr/bin/crontab. Please consider relinking with
> 'append-ldflags -Wl,-z,now' to fix.

For the full implications you should talk to the security hardened/
security guys. Solar is the one that put that patch up for me to add.
Basically, there is the potential to use a glibc exploit to induce a
race that could allow you to do weird things with libraries and files.


--NJ


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-dev] Re: Portage 2.0.51 comments/questions

[Duncan]

Nicholas Jones posted <20040927083145.GA27459@twobit.net>, excerpted
below,  on Mon, 27 Sep 2004 04:31:46 -0400:

>> 1) The new "spinner" is /very/ cool!
> 
> It's been moved to FEATURES="candy"

Hmm.  Good choice since some don't like it.  I'm turning it on right now! 
Some candy I like, especially when I don't have to worry about calories!
<g>

>> 2) Documentation is coming alone nicely.
> ...
>> /etc/portage/profiles/ [or] /etc/portage/profile/
> 
> It's singular. I've updated all the references otherwise. They'll be in
> CVS before I post this. They are only in the ebuild as the plural
> version.

Noted.  Thanks.

>> 3) What about the QA Notices?
>> enough of them it'd just be unnecessary noise?
> 
> It get fixed faster if everyone is yelling for it to stop. Fixes by
> annoyance. Cheap, Easy, and Quick.

<g>  From Paul's reply, looks like patches are needed.  I'm better at
filing bugs than patching, so won't worry about it ATM.  However, if I
have time, I'll look into it a bit and see if those sorts of things are
within my definitely limited abilities.

>> What about that security notice I've seen pop up a few times?  Example:
>>
>> QA Notice: Security risk /usr/bin/crontab. Please consider relinking
>> with 'append-ldflags -Wl,-z,now' to fix.
> 
> For the full implications you should talk to the security hardened/
> security guys. Solar is the one that put that patch up for me to add.
> Basically, there is the potential to use a glibc exploit to induce a
> race that could allow you to do weird things with libraries and files.

Thanks.  Hopin' someone from hardened will take a swing at this then and
enlighten me a bit more.  If not, maybe I'll have to subscribe to that
list and ask there, if google-linux isn't any help.  At least I've a bit
to start a search on now, more than I had b4.

-- 
Duncan - List replies preferred.   No HTML msgs.
"They that can give up essential liberty to obtain a little
temporary safety, deserve neither liberty nor safety." --
Benjamin Franklin



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage 2.0.51 comments/questions

[Paul de Vrieze]

[-- Attachment #1: Type: text/plain, Size: 753 bytes --]

On Monday 27 September 2004 05:52, Duncan wrote:
>
> Evidently .51 is rather stricter in some things than .50 and a number
> of things are QA Notices now that were silent, before.  Are things to
> the point where it's worthwhile bugging the various ebuilds that emit
> these notices, illegal eclass inheritance and the like, or are there
> still enough of them it'd just be unnecessary noise?

If you could come up with patches for those ebuilds (or eclasses) then 
please post them to bugzilla. (We get the notices too) Without patches it 
is probably more of an annoyance than actually useful (most maintainers 
know about them).

Paul

-- 
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-dev] Re: Portage 2.0.51 comments/questions

[Duncan]

Paul de Vrieze posted <200409271101.42703.pauldv@gentoo.org>, excerpted
below,  on Mon, 27 Sep 2004 11:01:42 +0200:

> On Monday 27 September 2004 05:52, Duncan wrote:
>>
>> Evidently .51 is rather stricter in some things than .50 and a number
>> of things are QA Notices now that were silent, before.  Are things to
>> the point where it's worthwhile bugging the various ebuilds that emit
>> these notices, illegal eclass inheritance and the like, or are there
>> still enough of them it'd just be unnecessary noise?
> 
> If you could come up with patches for those ebuilds (or eclasses) then 
> please post them to bugzilla. (We get the notices too) Without patches it 
> is probably more of an annoyance than actually useful (most maintainers 
> know about them).

Thanks.  I figured something of that nature.  My ability in that area is
somewhat limited and I haven't looked to see if it's within my range, yet,
so I'll avoid filing on them now.  I had just seen enough of them to goad
me into asking, lest I be guilty of not giving back where I could, since
one thing I /can/ do is file bugs! <g>

-- 
Duncan - List replies preferred.   No HTML msgs.
"They that can give up essential liberty to obtain a little
temporary safety, deserve neither liberty nor safety." --
Benjamin Franklin



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage 2.0.51 comments/questions

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 3097 bytes --]

On Sun, 2004-09-26 at 23:52, Duncan wrote:
> OK, I've been running portage 2.0.51-whatever for several releases, and
> it's certainly beginning to shape up nicely!  Here are some
> comments/questions/suggestions, FWTW..
> 
> 1) The new "spinner" is /very/ cool!

New eye candy?

OOh... and how do I view this new whiz-bang feature of portage?

*grin*

> 2) Documentation is coming alone nicely.
> 
> It's nice to see updated 2.0.51 versions of the various man pages, now.
> 
> I'm seeing a couple things missing still, tho.  The main one I noticed was
> the portage (5) manpage doesn't list the new /etc/portage/profile yet. 
> Also, an earlier einfo mentioned /etc/portage/profiles/virtuals while the
> new inject depreciated message mentions
> /etc/portage/profile/package.provided.  I assume these are supposed to
> both be the same dir, but don't know whether it's profile or profiles. 
> Granted, a typo or changed policy is fine, but without documentation
> confirming one or the other as right, I'm left guessing.

profiles

> 3) What about the QA Notices?
> 
> Evidently .51 is rather stricter in some things than .50 and a number of
> things are QA Notices now that were silent, before.  Are things to the
> point where it's worthwhile bugging the various ebuilds that emit these
> notices, illegal eclass inheritance and the like, or are there still
> enough of them it'd just be unnecessary noise?

I think we're getting close to time to start writing bugs for the
ebuilds that don't have them already.  I would think most of the worst
offenders already have bugs.

> What about that security notice I've seen pop up a few times?  Example:
> 
> QA Notice: Security risk /usr/bin/crontab. Please consider relinking with
> 'append-ldflags -Wl,-z,now' to fix.
> 
> What's this mean?  What are the implications?  How do I do that relinking
> if I decide I need to?   Can I fix it by enabling a feature in make.conf
> or do I run a separate command?  Either way, there's not enough info there
> to actually DO it, nor do I even have enough info to rightly evaluate the
> "security risk"!

Actually, that is more a message for the developer.  You can perform the
same function locally with the LDFLAGS variable in your make.conf, but
really the package should be fixed by the developer by adding the
"append-ldflags -Wl,-z,now" to the ebuilds, as stated by the emerge
process.  This has all been since sfperms was added to the default
FEATURES.

> There's simply not enough there to be anything but a teaser, yet it's
> labeled security risk.  Someone's being *MEAN* with their teasing! =:^\

Blame solar... if that doesn't work, blame vapier... I'm sure it is his
fault somehow...

I definitely agree, though.  We shouldn't be spewing out "This could
allow people to own your box" messages without spewing out "...and
here's how to fix it" messages that are just as easy to understand.

-- 
Chris Gianelloni
Release Engineering - Operations/QA Manager
Games - Developer
Gentoo Linux

Is your power animal a penguin?

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-dev] Re: Portage 2.0.51 comments/questions

[Duncan]

Chris Gianelloni posted <1096321571.15324.16.camel@cgianelloni.nuvox.net>,
excerpted below,  on Mon, 27 Sep 2004 17:46:11 -0400:

> profiles

OK, now that contradicts what Nic Jones said, that it should be singular,
/etc/portage/profile.  Which is is?

BTW, I see someone referring to /etc/portage/virtuals again today, and
that's the whole thing that raised the question about profile or profiles,
since portage complained that the direct under portage virtuals location
was depreciated (I like to put placeholder files in place, so I don't
have to go digging up the info when I need it, I just go edit my
placeholder file, so I created /etc/portage/virtuals immediately after
switching to .51 as I'd seen it mentioned, and had portage squawk about
it) and said I should use profiles/virtuals instead, but then I saw a
reference for another file to profile/*, and wondered if they were the
same dir with a typo in one, or whether both really WERE looked for.

>> QA Notice: Security risk /usr/bin/crontab. Please consider relinking with
>> 'append-ldflags -Wl,-z,now' to fix.
>> 
>> What's this mean?  What are the implications?
> 
> Actually, that is more a message for the developer.  You can perform the
> same function locally with the LDFLAGS variable in your make.conf, but
> really the package should be fixed by the developer by adding the
> "append-ldflags -Wl,-z,now" to the ebuilds, as stated by the emerge
> process.  This has all been since sfperms was added to the default
> FEATURES.

Thanks.  That makes sense.  Now I have what I need to fix it. As you
agreed, tho, even if it's meant primarily for the developer, security risk
messages without equally clear how-to-fix messages aren't really where
Gentoo should be. <g>

-- 
Duncan - List replies preferred.   No HTML msgs.
"They that can give up essential liberty to obtain a little
temporary safety, deserve neither liberty nor safety." --
Benjamin Franklin



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage 2.0.51 comments/questions

[Ned Ludd]

[-- Attachment #1: Type: text/plain, Size: 1956 bytes --]

On Sun, 2004-09-26 at 23:52, Duncan wrote:

> What's this mean?  What are the implications?  How do I do that relinking
> if I decide I need to?   Can I fix it by enabling a feature in make.conf
> or do I run a separate command?  Either way, there's not enough info there
> to actually DO it, nor do I even have enough info to rightly evaluate the
> "security risk"!
> 
> There's simply not enough there to be anything but a  yet it's
> labeled security risk.  Someone's being *MEAN* with their teasing! =:^\


Sorry about that. This qa notice steams from an internal thread. It was
intended for developers to see. I've got an open bug now to change the
output of the qa notice.

The append-ldflags is a function that comes from the flag-o-matic.eclass
which is intended for the developer to use to add a string to the
packages LDFLAGS. The user interface works just like the CFLAGS
counterpart. 

So for example to make that message go away for crontab as a user you
would do LDFLAGS="-Wl,-z,now" emerge virtual/cron

The basic idea is rid our tree of setXid executables that have use lazy
bindings. Lazy binding themselves present no immediate risk that's been
documented. The behavior is just generally discouraged.

To answer the question about can you add this to any files the answer is
yes. For about a yaer or so now portage has accepted LDFLAGS via
make.conf. 
Before you jump into a system-wide deployment of a linker flag be sure
you understand what they do. The flag for one is known to slow down
program startup. You wont really see it on a small executable but really
big c++ app with alot of symbols that also loads alot of libraries you
might. On the same token of slowdowns is the runtime speedup you gain
because ld.so will already have looked up the entire symbol table.


*mean* -solar


-- 
Ned Ludd <solar@gentoo.org>
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-dev] Re: Portage 2.0.51 comments/questions

[Duncan]

Ned Ludd posted <1096599618.27475.712.camel@simple>, excerpted below,  on
Thu, 30 Sep 2004 23:00:18 -0400:

> On Sun, 2004-09-26 at 23:52, Duncan wrote:
> 
[about portage .51's QA Notice: Security risk notice]
>> 
>> There's simply not enough there to be anything but a [tease] yet it's
>> labeled security risk.  Someone's being *MEAN* with their teasing! =:^\
> 
> Sorry about that. This qa notice steams from an internal thread. It was
> intended for developers to see. I've got an open bug now to change the
> output of the qa notice.

Thanks.  Looking back, it's self-evident that the warning was designed for
developers, since that's what the other QA notices are.  However, that
wasn't evident to me /before/ someone told me, and in any case, such a
user-visible label as worded is a bit of needlessly panicking the
populace, so even with the developer understanding, changing it is a good
idea.

> The append-ldflags is a function that comes from the flag-o-matic.eclass
> which is intended for the developer to use to add a string to the
> packages LDFLAGS. The user interface works just like the CFLAGS
> counterpart.
> 
> So for example to make that message go away for crontab as a user you
> would do LDFLAGS="-Wl,-z,now" emerge virtual/cron

OK.  From the other posts and man gcc and man ld I'd figured out what was
involved there.  I've looked at flag-o-matic for cflags so am familiar
with the idea there, but hadn't paid attention to ldflags and thus didn't
recognize the append-ldflags from there.  Once I'd pieced together what
the rest did and that append-ldflags wasn't some sort of command I could
run from the command line or something, I decided it must be the portage
function (and guessed it was in an eclass but didn't bother to verify).
Nice to get verification of that and exactly where it is, now.

> The basic idea is rid our tree of setXid executables that have use lazy
> bindings. Lazy binding themselves present no immediate risk that's been
> documented. The behavior is just generally discouraged.

OK, from various reading, I understand the (theoretical) worry about lazy
bindings on setXid executables.  Thus, the level of threat is now known
and can be managed.  This is a good thing! <g>

I don't know how the message is being changed, but having this sort of
info available about it would be nice and would have prevented alarming
the user (me). <g>  Obviously, the message there can't be too verbose.
Perhaps a pointer to a QASECURITY.README file or a URL with the details?

All I want is to be an informed user, keeping in mind that from
a Gentoo dev perspective, their "user" is a sysadmin, and needs
such info, especially about security issues such as this, to properly do
their job.

IOW, this is basically the same request as I made some months ago about
changelogs entries denoting keyword removal. When I see an emerge -a with
a [ UD], I want to know /why/ I'm being asked to downgrade. Is it a
security issue or just some issue with functionality based on a USE flag I
don't even have turned on?  Since making the request, at least amd64 which
I follow has been very good at providing this user/sysadmin that info, and
it's been that much easier to do my job /as/ that sysadmin.

So, I guess I owe both them and now you and the portage team a round of
thanks for being so responsive.  Just another reason my Gentoo choice was
the RIGHT choice!

> Before you jump into a system-wide deployment of a linker flag be sure
> you understand what they do. The flag for one is known to slow down
> program startup. You wont really see it on a small executable but really
> big c++ app with alot of symbols that also loads alot of libraries you
> might. On the same token of slowdowns is the runtime speedup you gain
> because ld.so will already have looked up the entire symbol table.

Thanks for explaining that.  I have it on for now, but may consider
turning it off for stuff like KDE when updates to it come out. 

> *mean* -solar

<g>

-- 
Duncan - List replies preferred.   No HTML msgs.
"They that can give up essential liberty to obtain a little
temporary safety, deserve neither liberty nor safety." --
Benjamin Franklin



--
gentoo-dev@gentoo.org mailing list