From: Marius Mauch <genone@gentoo.org>
To: gentoo-portage-dev@lists.gentoo.org
Subject: Re: [gentoo-portage-dev] Environment Whitelisting
Date: Mon, 22 Aug 2005 23:33:23 +0200 [thread overview]
Message-ID: <20050822233323.276ad887@andy.genone.homeip.net> (raw)
In-Reply-To: <4308E349.8010107@egr.msu.edu>
On 08/21/05 Alec Warner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Was talking with Brian about the build environment and how settings
> were to be passed into the build environment.
>
> Essentially three scenarios were presented.
>
> 1) The full environment is passed to the build environment. This was
> generally agreed upon to be bad since there are environmental things
> that can cause build problems.
>
> 2) The full environment is parsed via a blacklist to strip out
> environment settings that are known to be bad for building packages.
> This leads to a clean* build environment. However, maintaining the
> blacklist can be a challenge if it grows in size.
>
> (*) clean, meaining all the bad things we know about are not in the
> build environment. This does not account for the bad things we do NOT
> know about.
>
> 3) The full environment is parsed via a whitelist to get a list of
> environment settings that are known to be good for building packages.
> This leads to a clean build environment, as only whitelisted
> environment settings are passed in. However, the whitelist will
> probably be worse to maintain than a blacklist.
>
> Both 2) and 3) above have issues where some build variables are bad
> for ebuild X but not ebuild Y. I am unsure how exactly to cover any
> kind of situation like that ( and I don't have an example from the
> tree, save perhaps LANG=weird-language ).
>
> To me 1) is unacceptable and 3) is the best option. Feel free to
> shoot these down as you see fit ;)
Well, codewise 2) and 3) aren't that different (one is just the
inversion of the other), so why not implement both, make a config
setting for it and get empirical data to find the "best" solution?
Actually don't even need a config switch, just detect if a blacklist or
a whitelist is present and use them then.
Theoretical discussions about this are pointless IMO without
numbers/facts to back things up.
Marius
--
Public Key at http://www.genone.de/info/gpg-key.pub
In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.
--
gentoo-portage-dev@gentoo.org mailing list
next prev parent reply other threads:[~2005-08-22 21:34 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-21 20:25 [gentoo-portage-dev] Environment Whitelisting Alec Warner
2005-08-22 1:24 ` Zac Medico
2005-08-22 3:52 ` [gentoo-portage-dev] " Drake Wyrm
2005-08-22 4:41 ` Zac Medico
2005-08-22 16:29 ` Kristian Benoit
2005-08-22 14:52 ` Jason Stubbs
2005-08-22 18:08 ` Zac Medico
2005-08-22 19:15 ` warnera6
2005-08-22 19:24 ` Zac Medico
2005-08-22 20:58 ` Brian Harring
2005-08-23 1:57 ` Kristian Benoit
2005-08-23 2:15 ` Brian Harring
2005-08-22 21:33 ` Marius Mauch [this message]
2005-08-22 21:40 ` [gentoo-portage-dev] " Brian Harring
2005-08-22 21:55 ` warnera6
2005-08-22 21:59 ` Marius Mauch
2005-08-22 22:19 ` Brian Harring
2005-08-22 22:36 ` Alec Warner
2005-08-22 22:41 ` Brian Harring
2005-08-22 23:01 ` [gentoo-portage-dev] Profiles [ was Environmental Whitelisting ] Alec Warner
2005-08-22 23:28 ` [gentoo-portage-dev] Environment Whitelisting Jason Stubbs
2005-08-22 23:56 ` Brian Harring
2005-08-23 10:50 ` Jason Stubbs
2005-08-23 0:27 ` Alec Warner
2005-08-23 2:46 ` Kristian Benoit
2005-08-23 3:40 ` Alec Warner
2005-08-23 16:19 ` Kristian Benoit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050822233323.276ad887@andy.genone.homeip.net \
--to=genone@gentoo.org \
--cc=gentoo-portage-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox