From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.62)
	(envelope-from <gentoo-dev+bounces-25364-garchives=archives.gentoo.org@gentoo.org>)
	id 1IBknr-0003YW-Cn
	for garchives@archives.gentoo.org; Fri, 20 Jul 2007 05:13:23 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l6K5CUDc005938;
	Fri, 20 Jul 2007 05:12:30 GMT
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l6K5AWTM003553
	for <gentoo-dev@lists.gentoo.org>; Fri, 20 Jul 2007 05:10:33 GMT
Received: from localhost (localhost [127.0.0.1])
	by smtp.gentoo.org (Postfix) with ESMTP id 54267648CE
	for <gentoo-dev@lists.gentoo.org>; Fri, 20 Jul 2007 05:10:32 +0000 (UTC)
X-Virus-Scanned: amavisd-new at gentoo.org
X-Spam-Score: -1.162
X-Spam-Level: 
X-Spam-Status: No, score=-1.162 required=5.5 tests=[AWL=-1.163,
	BAYES_50=0.001]
Received: from smtp.gentoo.org ([127.0.0.1])
	by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ewS9RSDC+tZH for <gentoo-dev@lists.gentoo.org>;
	Fri, 20 Jul 2007 05:10:22 +0000 (UTC)
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTP id 36B2C657FF
	for <gentoo-dev@gentoo.org>; Fri, 20 Jul 2007 05:10:21 +0000 (UTC)
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1IBkkj-0006pk-Ay
	for gentoo-dev@gentoo.org; Fri, 20 Jul 2007 07:10:09 +0200
Received: from ip68-230-68-110.ph.ph.cox.net ([68.230.68.110])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-dev@gentoo.org>; Fri, 20 Jul 2007 07:10:09 +0200
Received: from 1i5t5.duncan by ip68-230-68-110.ph.ph.cox.net with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-dev@gentoo.org>; Fri, 20 Jul 2007 07:10:09 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: gentoo-dev@lists.gentoo.org
From:  Duncan <1i5t5.duncan@cox.net>
Subject: [gentoo-dev]  Re: net-im/pidgin protocols
Followup-To:  gmane.linux.gentoo.project
Date: Fri, 20 Jul 2007 05:10:01 +0000 (UTC)
Message-ID:  <pan.2007.07.20.05.10.00@cox.net>
References:  <b21328ed0707182131o722bd625o6c8119a4b084c57f@mail.gmail.com>
	<469F1C56.6070600@gentoo.org> <469F372A.9060107@gentoo.org>
	<469F3A9F.7030004@gentoo.org> <46A0DE7B.6030009@gentoo.org>
	<pan.2007.07.20.00.52.48@cox.net>
	<b21328ed0707191852o3ec406b6ga325c70951d83adc@mail.gmail.com>
	<pan.2007.07.20.03.22.17@cox.net>
	<b21328ed0707192102s2d4d46c8t719e2e4b9720967f@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
Mime-Version:  1.0
Content-Type:  text/plain; charset=UTF-8
Content-Transfer-Encoding:  8bit
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: ip68-230-68-110.ph.ph.cox.net
User-Agent: Pan/0.131 (Ghosts: First Variation)
Sender: news <news@sea.gmane.org>
Cc: gentoo-project@lists.gentoo.org
X-Archives-Salt: 2cf7dc89-e4af-4655-97ad-d3e403028f4c
X-Archives-Hash: 3360bc7ae4d55dfd62ce0a8e2607fab6

"Eric Polino" <aluink@gmail.com> posted
b21328ed0707192102s2d4d46c8t719e2e4b9720967f@mail.gmail.com, excerpted
below, on  Fri, 20 Jul 2007 00:02:56 -0400:

> On 7/19/07, Duncan <1i5t5.duncan@cox.net> wrote:
>> "Eric Polino" <aluink@gmail.com> posted
>> b21328ed0707191852o3ec406b6ga325c70951d83adc@mail.gmail.com, excerpted
>> below, on  Thu, 19 Jul 2007 21:52:16 -0400:
>>
>> > Yes there would be a few other small supporting packages.
>>
>> I may well be in the minority on this, but here it's not so much the
>> compile time or space I'm worried about, but the whole security thing
>> of not installing stuff that I'm not going to use and shouldn't need.
> 
> If this is truly a problem, then I think the negative USE flags might be
> the better solution then.  This would allow users the ability to disable
> potential insecure features.  But really, I  doubt security is an issue
> here.

Some people don't like negative USE flags because they are a bit counter-
intuitive.  You /enable/ the USE flag to /disable/ the feature, and that 
counter-intuitivity has some devs hoping to eventually do away with them 
entirely.  Personally, while I generally prefer positive flags, negative 
flags serve a very good purpose precisely because they /do/ stick out -- 
if I encounter one, it's a pretty good indication I better think twice 
about disabling it (since it's generally enabled by default).  It serves 
as a quite useful distinction between "do as you wish" flags and "do as 
you wish, but be SURE you know the consequences first."

So I agree with you on the negative USE flag idea but believe many won't.

The security issue is in general, and worse when an app is net-exposed as 
is the case here.  Think of the recent aim:// protocol exploits in 
certain apps.  If a user never uses AIM, they may not realize they are 
vulnerable, yet if these apps are installed with aim:// protocol active, 
they are /very/ exposed as the exploit (from what I've read) required 
simply that the remote end of the conversation invoke an aim:// URL with 
the malware payload attached.

If it's possible to protect a user from that sort of exploit by making 
various protocols optional so they don't need them enabled when not 
necessary (and that's what Gentoo does with USE flags and compile from 
source), I believe it's a very good idea to do so.

>> To be clear, if it's simply the USE flag defaults under debate, not a
>> problem [but s]omeone mentioned just killing the USE flags and making
>> them all hard dependencies
> 
> [H]ow different would this be to any application that requires
> dependencies and you can't change the fact that they require them.

Required are required.  Take it or leave it.  Decision made by upstream 
and when a user chooses that app.  Optionals are just that, optional.

> The Pidgin team "sells" their application as having all these protocols
> so they should be there, at least out of the box.

But a big selling point of Gentoo is that it doesn't force you to take 
that "box" as it's normally shipped.  You effectively get the components 
as a kit and assemble it yourself, with the ability to leave out parts 
that you don't need.  That's a /good/ thing, at least to most Gentoo 
users, or by definition, they'd be using a distribution that comes with 
all those binaries "pre-assembled".  To then ship it with all those 
options forced on... goes against one of the big points of running Gentoo 
in the first place.

>> People not running -pv or -av... <content for project or user omitted>
> 
> Don't know what you mean here.

Simply that I down that down that topic lays a rant, and this isn't the 
place for it.

This subthread is headed off-topic for gentoo-dev too, so I'm x-posting 
to gentoo-project, with further replies set to go there (if the listserv 
doesn't overwrite them).  Or reply to me personally if you prefer.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

-- 
gentoo-dev@gentoo.org mailing list