1. Forum
  2. Usenet
  3. LINUX.GENTOO.DEV

  • Re: [gentoo-dev] Update on the 23.0 profiles

    From Andreas K. Huettel@21:1/5 to All on Sun Apr 7 14:32:05 2024
    Copy: flow@gentoo.org (Florian Schmaus)

    Most 17.x profiles have been downgraded to "exp".

    I could imagine there is a reason to downgrade those back to 'exp',
    could you elaborate a bit on that?

    Isn't it bit strange that a 'stable' profiles gets downgraded back to
    'exp'? Then again, I am not sure about the implications of this nor
    about the rationale behind it.

    Mostly so the load on the CI does not suddenly double.

    There's no real reason why we can't keep a few of the profiles stable.
    Also not much reason to do that though...


    However, I also notice that there is a outstanding PR that reverts that
    [1]. Maybe we should introduce a new state 'oldstable' or so?

    - Flow


    1: https://github.com/gentoo/gentoo/pull/35871



    --
    Andreas K. Hüttel
    dilfridge@gentoo.org
    Gentoo Linux developer
    (council, toolchain, base-system, perl, libreoffice)
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQKTBAABCgB9FiEE/Rnm0xsZLuTcY+rT3CsWIV7VQSoFAmYSkkVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZE MTlFNkQzMUIxOTJFRTREQzYzRUFEM0RDMkIxNjIxNUVENTQxMkEACgkQ3CsWIV7V QSqHkRAAmwFl30xwadfvzf6tTktL63kaRbimZidh4D9xs7Mcux+bVrdQ+hf/4oWM ihQoDSF1PCzfCxLT1HtVDy3q5hsYePO4DBxQij4YCrdbGxpyBDuZf99RnYVTUndg zCq76ivUDJBHU7pcT9nLOMncwzgXubMZRrsX5kAAS/RQ/Nl0g1cHi3ekv+H+pkuH zgW+ZreaisAwtqqo/I+funtjSt9uSUZqYcfKeDCBrIREpEZbailQ/VGwq77gxVBE WJrjmrLkW2c0cyLdbATcYcgj54Ec0t1IYeqSrnY8mGkqF0oCnt0ST+LsCiRZAniH dCk7H+lsy1hcpGDXsf7Cm5Xn5gs6L/EO+bIfp29alOFlLChxwPEE+l0eLwQN8y+G iM3c9FJHMT9w6+dOaWHBcXkqX+EjR3oPGwFE4Ej72CHu4LBXpnrwUrvtGqSUFgmF k7aionHagp/apOfsRHdeJJCTIM9jVFoHqHbq8/gW4XdFjvURyX+BRsfCuGGg1oSv ungzLtekKtjIzwxQbLWVQqV/Mca9zynsNP6s1DV1EdUtNBxpKxOThtNBT9xwJeVu 3AOc8ZnmFVQKNPt4sEhfDR3jD8Q06/GWIC1khB72QmrCiCa7+o0gZqaT
  • From Andreas K. Huettel@21:1/5 to All on Sun Apr 7 14:35:42 2024
    Copy: mjo@gentoo.org (Michael Orlitzky)

    Am Sonntag, 7. April 2024, 04:03:01 CEST schrieb Michael Orlitzky:
    On Sat, 2024-04-06 at 17:06 +0200, Andreas K. Huettel wrote:
    Hi all,

    so here's a small update on the state of the 23.0 profiles:


    Why was this silently added to make.defaults for all 23.0 profiles?

    # This just makes sense nowadays, if only for distfiles... USE="lzma zstd"

    Uhh, I dont really remember, I think some Chinese-sounding guy asked
    me for it... (j/k)

    Jokes aside, we did have bz2 in the default useflags for ages, and
    at the time this made a lot of sense since xz/lzma and zstd were
    steadily becoming the most prevalent compression algorithms.

    And for anyone interested in the timeline, this was one of the first
    additions.

    commit 99a7cb9e0b1728ca75242ddfee6357dc008bd1cd
    Author: Andreas K. Hüttel <dilfridge@gentoo.org>
    AuthorDate: Sun Nov 13 19:26:40 2022 +0100
    Commit: Andreas K. Hüttel <dilfridge@gentoo.org>
    CommitDate: Sun Nov 13 19:27:36 2022 +0100

    profiles: Set USE="xz zstd" in 23.0


    --
    Andreas K. Hüttel
    dilfridge@gentoo.org
    Gentoo Linux developer
    (council, toolchain, base-system, perl, libreoffice)
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQKTBAABCgB9FiEE/Rnm0xsZLuTcY+rT3CsWIV7VQSoFAmYSkx5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZE MTlFNkQzMUIxOTJFRTREQzYzRUFEM0RDMkIxNjIxNUVENTQxMkEACgkQ3CsWIV7V QSqAfw//fzbd8Xvk4dFrImtiEGyMimT1GPtL+9dTUdeyOidhsOXF9DUN2RiyYH52 xzlY6/XhNlwU9cMf9byN3e7+dL6FBNWJ+4JgUpW/FvJsFbYxLQj3vDQTSidRucho 4sRj+pnPH2aFDM1nVnkXJmSjJrDAlQaPkk6ObHkwejZQivTMaTfK4zSIfU3o+u0/ VY0OKdBDD0XureUQWP5+oH5fYfpgCEiP3UGQRdFqqf8WnZcBWD/m9uNm/AHS1wXI r/lP/VAivV0d9VtoO6Lf+jhlxLpq2ZQ/iY68KvAsUa7i80P8A3+whS+TZ2GkTXfD JudiQgyooODNI65UXkQ8yS5DLLwX6bREuaZYkjcQ/UFS1PDz9zk492/oOia2Yu9d VhoFKxMMYVTYlPeCxTWbZKOSP6B4yIBNxSgDC4O8X9xsaCK0rdLZVxq7BsnIYIA4 h+rPleHWIVpR6qyyc2jPdXQ/cVDjJCxTk9n8xmlL0rj/Wso+RHRmBE68RQZ8/ehl i2nXc0ihl36VJQWYprOrwOhw2zh1sOazWoRBAzF72gzoHdWbi9Ud0M+yd8raWxkH oEZvROxYcZzDjNFUjtrEh+o60KeJ6yfiCF+i2kApcwcEClug2EfVCDoP
  • From Andreas K. Huettel@21:1/5 to All on Sun Apr 7 15:07:01 2024
    Copy: mjo@gentoo.org (Michael Orlitzky)

    Am Sonntag, 7. April 2024, 14:51:55 CEST schrieb Michael Orlitzky:
    On Sun, 2024-04-07 at 14:35 +0200, Andreas K. Huettel wrote:

    Uhh, I dont really remember, I think some Chinese-sounding guy asked
    me for it... (j/k)

    It is remarkably bad timing. How it looks: Gentoo's response to the xz incident is to have me rebuild my entire system with everything that
    could possibly be linked to liblzma, linked to liblzma. Even on the
    hardened profiles, and with no easy way to prevent it.

    Well, we're now working with the best-audited compression library ever,
    I guess.

    tl;dr can we turn them back off in the profile? In any scenario where
    they are beneficial, there's a better place to put them.

    Easily doable with lzma, if there is consensus for it.

    Slightly more complex for zstd since this affects gcc and binutils.
    Still doable though.

    --
    Andreas K. Hüttel
    dilfridge@gentoo.org
    Gentoo Linux developer
    (council, toolchain, base-system, perl, libreoffice)
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQKTBAABCgB9FiEE/Rnm0xsZLuTcY+rT3CsWIV7VQSoFAmYSmnVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZE MTlFNkQzMUIxOTJFRTREQzYzRUFEM0RDMkIxNjIxNUVENTQxMkEACgkQ3CsWIV7V QSoq5RAAgiYsTlS/uKtet6e9Fu7Y+wYvHpAuyqfYZfQhYR4KkBssHy6HuUl/m5DO pxljPYZJFRZ9CeMHQsrDNRVAQSUEQUbfCwtZJ+b5RDBPZZUMxeE8phTmg2u8LAKr o6EbGIUYIpN2+WPJ/IX0QYIOQv5H5ToX6fJAnoo+V27PUhyZxkmTgluropJT8O55 wcCai9i/3q2AHxiFQ79w35KsDeTNE3LLeHXQnFJiHrK2Bcn/+Yo0rv9/DuOQBzEM 8Pj4zOSX37a3uktPF/mFzHzQitQEe3xZRirVows3M3EPSgKaUAiOxxI90hhsP/l5 0eXHZ8irwnJJ7N12wOV1N0NT1Md5+g4OF7/YJTMyis5U0pT09D7SLrTa1uZplvSw DqMIZ6efAg1/9pBgdqJQw3NWVoH2tDp05x0slNYH1Vf2qhGTYPzB12NLu0/hb4ox 4moRoog4z7DvjFWubTOqQw+9hLrdI+LcaaBcfDOLe9tOpNzHRKPhtizTPv+Ke2/M ev2RMVRC/Bb1Svbfv3CX7DHSVBT3umwZmR9q3Gm4dcku9W0GYWs7eG0+/gPCnHga 3dP9acfJS/mlEcvf4alUvulx8joLZLNVgr9lDmakly4r8qRo6y1EyDIS
  • From =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=@21:1/5 to Michael Orlitzky on Sun Apr 7 16:50:01 2024
    On Sun, 2024-04-07 at 08:51 -0400, Michael Orlitzky wrote:
    On Sun, 2024-04-07 at 14:35 +0200, Andreas K. Huettel wrote:

    Uhh, I dont really remember, I think some Chinese-sounding guy asked
    me for it... (j/k)

    It is remarkably bad timing. How it looks: Gentoo's response to the xz incident is to have me rebuild my entire system with everything that
    could possibly be linked to liblzma, linked to liblzma. Even on the
    hardened profiles, and with no easy way to prevent it.

    So, what you're basically saying, is that the best Gentoo response right
    now would be to frantically remove LZMA support everywhere? I'm sure
    that would be so much better than our response of masking vulnerable
    versions and issuing a statement.

    --
    Best regards,
    Michał Górny


    -----BEGIN PGP SIGNATURE-----

    iQFGBAABCgAwFiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAmYSsiwSHG1nb3JueUBn ZW50b28ub3JnAAoJEGOa2uIyniQO+0AH/jAUDyiorlAzqbXM/EC/HZv1iL5CjnYk 1j7NeKE/c6j77iNvtXVG5J+UciArqsyXdh8CgU5d4hcWEHH28hwdCsczwp03h2DE crAxAF1QD+QuDCn5qhZWtEelNbaM/MKJxvdeJMAjCmgg78YwOxYd4Z/3ikuPsTaN cfgW5JfL/nEA1V0AhUemP8ytfBhglCNgeBavOWQwgc4bu3skspLMcrnu0CS0EqXu C1ha++dMUMHAFYfJY8cKrj2Fi+Hb3E8pSEAHb2hjJA4hKEgGtXCbigoWrAp6LB1D I3sX4GweFxhX8bHmDWPq12Cr+Vyd4PEec/4C1Sx++rVp+aLFmWPkE5g=
    =IBXa
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Alex Boag-Munroe@21:1/5 to Michael Orlitzky on Mon Apr 8 02:30:02 2024
    On Sun, 7 Apr 2024 at 22:09, Michael Orlitzky <mjo@gentoo.org> wrote:
    <snip>
    What I am saying is that I want the freedom to not have things
    pointlessly enabled on my systems, because similar problems (and worse) happen all day every day. The less exposure I have, the better. The
    liblzma backdoor was timely because it will prevent most people from
    telling me I'm being paranoid, but it could have been USE=anything on
    any other day. Moving the defaults out of the high-level profiles will
    give control back to the user, hence my complaint about it.


    I agree, to be honest. The spirit of profiles has always felt like it
    switches on safe/sane defaults that you'd expect for the name (a
    desktop plasma profile switches on all the useful desktop USE flags, a
    basic profile enables the bare minimum for a bootable system, etc),
    giving an expected functionality in the resulting outcome of a
    re-merge of world.

    Outside of this, preferred compression tools, preferred editors
    etc...should be up to the user, or implied in the profile name if it's
    going to be switched on in the profile defaults. I don't use zstd
    myself, I prefer xz or lz4 depending on my purpose. It's on my system
    because some things I chose to have required it. It feels un-Gentoo
    for me to have zstd around _just because_, which the profile default
    would bring into play.

    --
    Ninpo

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=@21:1/5 to Alex Boag-Munroe on Mon Apr 8 05:10:01 2024
    On Mon, 2024-04-08 at 01:22 +0100, Alex Boag-Munroe wrote:
    On Sun, 7 Apr 2024 at 22:09, Michael Orlitzky <mjo@gentoo.org> wrote:
    <snip>
    What I am saying is that I want the freedom to not have things
    pointlessly enabled on my systems, because similar problems (and worse) happen all day every day. The less exposure I have, the better. The
    liblzma backdoor was timely because it will prevent most people from telling me I'm being paranoid, but it could have been USE=anything on
    any other day. Moving the defaults out of the high-level profiles will
    give control back to the user, hence my complaint about it.


    I agree, to be honest. The spirit of profiles has always felt like it switches on safe/sane defaults that you'd expect for the name (a
    desktop plasma profile switches on all the useful desktop USE flags, a
    basic profile enables the bare minimum for a bootable system, etc),
    giving an expected functionality in the resulting outcome of a
    re-merge of world.

    Precisely.

    Outside of this, preferred compression tools, preferred editors
    etc...should be up to the user, or implied in the profile name if it's
    going to be switched on in the profile defaults. I don't use zstd
    myself, I prefer xz or lz4 depending on my purpose. It's on my system
    because some things I chose to have required it. It feels un-Gentoo
    for me to have zstd around _just because_, which the profile default
    would bring into play.


    It's not a "preferred compression tool". "Preferred compression tool"
    is selected via adding the package to your @world set. The flag is used
    for enable specific functionality on packages. This function may be
    limited to being able to optionally compress something. But it could
    e.g. also be responsible for being able to, say, open a specific file
    format (and I'm not talking of explicitly .xz compressed files)
    or a database, or receive proper interoperability elsewhere.

    The cost of enabling support for a compression library that's already
    installed by default (because you need it to unpack distfiles) is very
    little compared to the cost of suddenly discovering that things don't
    work.

    --
    Best regards,
    Michał Górny


    -----BEGIN PGP SIGNATURE-----

    iQFGBAABCgAwFiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAmYTX2ASHG1nb3JueUBn ZW50b28ub3JnAAoJEGOa2uIyniQOyt8IALv1woRMPLnEJ5L6tZUEHH7HNBjD/Ya+ tq5GMazU3eF8mZuGN3nncCk+ld4t2qQgPak/Nt5P0RfLD37+ikSlakoHkNK30QP/ g/BJY2U1uusioKtDI9G4xU1pkbAMqdBYo1lx0CDl5xHn3qoe45Of+IQW+/b52tdp hyPMV7NTpm7fOtDU6s2AlpwRc/eOMNIh9z2kvEccMn/7sNipHJt8HBaLUETMcj+g ANJUWfv+M1K5kM7AC+XzJ2Gz22Fn7/5PVryG0k4lgNk+8s3ee3dLXQZBG65pLYin qKInihKzoetAiFsTeFKe1Kvdb7EMGP+IcB5PLaDDlDzkbtmaftO6k3c=
    =oM9P
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Eddie Chapman@21:1/5 to Michael Orlitzky on Mon Apr 8 17:20:01 2024
    Michael Orlitzky wrote:
    On Sun, 2024-04-07 at 15:07 +0200, Andreas K. Huettel wrote:

    tl;dr can we turn them back off in the profile? In any scenario where
    they are beneficial, there's a better place to put them.

    Easily doable with lzma, if there is consensus for it.

    Slightly more complex for zstd since this affects gcc and binutils.
    Still doable though.

    Thanks:

    * https://bugs.gentoo.org/928932
    * https://bugs.gentoo.org/928933

    I know this thread is only for people actually involved in Gentoo
    decision making, but I'll add my 2c anyway.

    I'm sure nobody is surprised that I support Michael Orlitzky here 100%.

    My personal "dream" is to have a Gentoo in the future where *all*
    compression is optional, only enabled by those who want it, not forced
    on anybody.

    In my opinion the importance of compression in general diminishes every
    year that goes by as naturally the trend in storage space has to be that
    it increases. So compression will increasingly become a) an extra
    undesirable security risk (it's quite complex to write and maintain
    which only increases rather than decreases the likelihood of security
    issues) and b) a cpu cycle waster (cpu resources will likely remain more precious than storage).

    I'd love to eventually see a Gentoo where most upstream source is pulled
    in untouched and uncompressed by default and if people want compression
    they can enable it. So I would hope that as each new profile release
    comes, Gentoo becomes less chained to any particular compression
    libraries than it was before, not more. But I'm aware this is
    unrealistic today from the pov of Gentoo infra. Still, I'm allowed to
    dream right?

    P.S. This is not a demand, just 2c, and yes, I do know ultimately the
    ones who role their sleeves up and submit patches will decide these things.

    Eddie

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)