Copy: flow@gentoo.org (Florian Schmaus)

Most 17.x profiles have been downgraded to "exp".

I could imagine there is a reason to downgrade those back to 'exp',
could you elaborate a bit on that?

Isn't it bit strange that a 'stable' profiles gets downgraded back to
'exp'? Then again, I am not sure about the implications of this nor
about the rationale behind it.

Mostly so the load on the CI does not suddenly double.

There's no real reason why we can't keep a few of the profiles stable.
Also not much reason to do that though...

However, I also notice that there is a outstanding PR that reverts that
[1]. Maybe we should introduce a new state 'oldstable' or so?

- Flow

1: https://github.com/gentoo/gentoo/pull/35871

--
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer
(council, toolchain, base-system, perl, libreoffice)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQKTBAABCgB9FiEE/Rnm0xsZLuTcY+rT3CsWIV7VQSoFAmYSkkVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZE MTlFNkQzMUIxOTJFRTREQzYzRUFEM0RDMkIxNjIxNUVENTQxMkEACgkQ3CsWIV7V QSqHkRAAmwFl30xwadfvzf6tTktL63kaRbimZidh4D9xs7Mcux+bVrdQ+hf/4oWM ihQoDSF1PCzfCxLT1HtVDy3q5hsYePO4DBxQij4YCrdbGxpyBDuZf99RnYVTUndg zCq76ivUDJBHU7pcT9nLOMncwzgXubMZRrsX5kAAS/RQ/Nl0g1cHi3ekv+H+pkuH zgW+ZreaisAwtqqo/I+funtjSt9uSUZqYcfKeDCBrIREpEZbailQ/VGwq77gxVBE WJrjmrLkW2c0cyLdbATcYcgj54Ec0t1IYeqSrnY8mGkqF0oCnt0ST+LsCiRZAniH dCk7H+lsy1hcpGDXsf7Cm5Xn5gs6L/EO+bIfp29alOFlLChxwPEE+l0eLwQN8y+G iM3c9FJHMT9w6+dOaWHBcXkqX+EjR3oPGwFE4Ej72CHu4LBXpnrwUrvtGqSUFgmF k7aionHagp/apOfsRHdeJJCTIM9jVFoHqHbq8/gW4XdFjvURyX+BRsfCuGGg1oSv ungzLtekKtjIzwxQbLWVQqV/Mca9zynsNP6s1DV1EdUtNBxpKxOThtNBT9xwJeVu 3AOc8ZnmFVQKNPt4sEhfDR3jD8Q06/GWIC1khB72QmrCiCa7+o0gZqaT

Copy: mjo@gentoo.org (Michael Orlitzky)

Am Sonntag, 7. April 2024, 04:03:01 CEST schrieb Michael Orlitzky:

On Sat, 2024-04-06 at 17:06 +0200, Andreas K. Huettel wrote:

Hi all,

so here's a small update on the state of the 23.0 profiles:

Why was this silently added to make.defaults for all 23.0 profiles?

# This just makes sense nowadays, if only for distfiles... USE="lzma zstd"

Uhh, I dont really remember, I think some Chinese-sounding guy asked
me for it... (j/k)

Jokes aside, we did have bz2 in the default useflags for ages, and
at the time this made a lot of sense since xz/lzma and zstd were
steadily becoming the most prevalent compression algorithms.

And for anyone interested in the timeline, this was one of the first
additions.

commit 99a7cb9e0b1728ca75242ddfee6357dc008bd1cd
Author: Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: Sun Nov 13 19:26:40 2022 +0100
Commit: Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: Sun Nov 13 19:27:36 2022 +0100

profiles: Set USE="xz zstd" in 23.0


--
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer
(council, toolchain, base-system, perl, libreoffice)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQKTBAABCgB9FiEE/Rnm0xsZLuTcY+rT3CsWIV7VQSoFAmYSkx5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZE MTlFNkQzMUIxOTJFRTREQzYzRUFEM0RDMkIxNjIxNUVENTQxMkEACgkQ3CsWIV7V QSqAfw//fzbd8Xvk4dFrImtiEGyMimT1GPtL+9dTUdeyOidhsOXF9DUN2RiyYH52 xzlY6/XhNlwU9cMf9byN3e7+dL6FBNWJ+4JgUpW/FvJsFbYxLQj3vDQTSidRucho 4sRj+pnPH2aFDM1nVnkXJmSjJrDAlQaPkk6ObHkwejZQivTMaTfK4zSIfU3o+u0/ VY0OKdBDD0XureUQWP5+oH5fYfpgCEiP3UGQRdFqqf8WnZcBWD/m9uNm/AHS1wXI r/lP/VAivV0d9VtoO6Lf+jhlxLpq2ZQ/iY68KvAsUa7i80P8A3+whS+TZ2GkTXfD JudiQgyooODNI65UXkQ8yS5DLLwX6bREuaZYkjcQ/UFS1PDz9zk492/oOia2Yu9d VhoFKxMMYVTYlPeCxTWbZKOSP6B4yIBNxSgDC4O8X9xsaCK0rdLZVxq7BsnIYIA4 h+rPleHWIVpR6qyyc2jPdXQ/cVDjJCxTk9n8xmlL0rj/Wso+RHRmBE68RQZ8/ehl i2nXc0ihl36VJQWYprOrwOhw2zh1sOazWoRBAzF72gzoHdWbi9Ud0M+yd8raWxkH oEZvROxYcZzDjNFUjtrEh+o60KeJ6yfiCF+i2kApcwcEClug2EfVCDoP

Copy: mjo@gentoo.org (Michael Orlitzky)

Am Sonntag, 7. April 2024, 14:51:55 CEST schrieb Michael Orlitzky:

On Sun, 2024-04-07 at 14:35 +0200, Andreas K. Huettel wrote:

Uhh, I dont really remember, I think some Chinese-sounding guy asked
me for it... (j/k)

It is remarkably bad timing. How it looks: Gentoo's response to the xz incident is to have me rebuild my entire system with everything that
could possibly be linked to liblzma, linked to liblzma. Even on the
hardened profiles, and with no easy way to prevent it.

Well, we're now working with the best-audited compression library ever,
I guess.

tl;dr can we turn them back off in the profile? In any scenario where
they are beneficial, there's a better place to put them.

Easily doable with lzma, if there is consensus for it.

Slightly more complex for zstd since this affects gcc and binutils.
Still doable though.

--
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer
(council, toolchain, base-system, perl, libreoffice)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQKTBAABCgB9FiEE/Rnm0xsZLuTcY+rT3CsWIV7VQSoFAmYSmnVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZE MTlFNkQzMUIxOTJFRTREQzYzRUFEM0RDMkIxNjIxNUVENTQxMkEACgkQ3CsWIV7V QSoq5RAAgiYsTlS/uKtet6e9Fu7Y+wYvHpAuyqfYZfQhYR4KkBssHy6HuUl/m5DO pxljPYZJFRZ9CeMHQsrDNRVAQSUEQUbfCwtZJ+b5RDBPZZUMxeE8phTmg2u8LAKr o6EbGIUYIpN2+WPJ/IX0QYIOQv5H5ToX6fJAnoo+V27PUhyZxkmTgluropJT8O55 wcCai9i/3q2AHxiFQ79w35KsDeTNE3LLeHXQnFJiHrK2Bcn/+Yo0rv9/DuOQBzEM 8Pj4zOSX37a3uktPF/mFzHzQitQEe3xZRirVows3M3EPSgKaUAiOxxI90hhsP/l5 0eXHZ8irwnJJ7N12wOV1N0NT1Md5+g4OF7/YJTMyis5U0pT09D7SLrTa1uZplvSw DqMIZ6efAg1/9pBgdqJQw3NWVoH2tDp05x0slNYH1Vf2qhGTYPzB12NLu0/hb4ox 4moRoog4z7DvjFWubTOqQw+9hLrdI+LcaaBcfDOLe9tOpNzHRKPhtizTPv+Ke2/M ev2RMVRC/Bb1Svbfv3CX7DHSVBT3umwZmR9q3Gm4dcku9W0GYWs7eG0+/gPCnHga 3dP9acfJS/mlEcvf4alUvulx8joLZLNVgr9lDmakly4r8qRo6y1EyDIS

On Sun, 2024-04-07 at 08:51 -0400, Michael Orlitzky wrote:

On Sun, 2024-04-07 at 14:35 +0200, Andreas K. Huettel wrote:

Uhh, I dont really remember, I think some Chinese-sounding guy asked
me for it... (j/k)

It is remarkably bad timing. How it looks: Gentoo's response to the xz incident is to have me rebuild my entire system with everything that
could possibly be linked to liblzma, linked to liblzma. Even on the
hardened profiles, and with no easy way to prevent it.

So, what you're basically saying, is that the best Gentoo response right
now would be to frantically remove LZMA support everywhere? I'm sure
that would be so much better than our response of masking vulnerable
versions and issuing a statement.

--
Best regards,
Michał Górny


-----BEGIN PGP SIGNATURE-----

iQFGBAABCgAwFiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAmYSsiwSHG1nb3JueUBn ZW50b28ub3JnAAoJEGOa2uIyniQO+0AH/jAUDyiorlAzqbXM/EC/HZv1iL5CjnYk 1j7NeKE/c6j77iNvtXVG5J+UciArqsyXdh8CgU5d4hcWEHH28hwdCsczwp03h2DE crAxAF1QD+QuDCn5qhZWtEelNbaM/MKJxvdeJMAjCmgg78YwOxYd4Z/3ikuPsTaN cfgW5JfL/nEA1V0AhUemP8ytfBhglCNgeBavOWQwgc4bu3skspLMcrnu0CS0EqXu C1ha++dMUMHAFYfJY8cKrj2Fi+Hb3E8pSEAHb2hjJA4hKEgGtXCbigoWrAp6LB1D I3sX4GweFxhX8bHmDWPq12Cr+Vyd4PEec/4C1Sx++rVp+aLFmWPkE5g=
=IBXa
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 7 Apr 2024 at 22:09, Michael Orlitzky <mjo@gentoo.org> wrote:
<snip>

What I am saying is that I want the freedom to not have things
pointlessly enabled on my systems, because similar problems (and worse) happen all day every day. The less exposure I have, the better. The
liblzma backdoor was timely because it will prevent most people from
telling me I'm being paranoid, but it could have been USE=anything on
any other day. Moving the defaults out of the high-level profiles will
give control back to the user, hence my complaint about it.

I agree, to be honest. The spirit of profiles has always felt like it
switches on safe/sane defaults that you'd expect for the name (a
desktop plasma profile switches on all the useful desktop USE flags, a
basic profile enables the bare minimum for a bootable system, etc),
giving an expected functionality in the resulting outcome of a
re-merge of world.

Outside of this, preferred compression tools, preferred editors
etc...should be up to the user, or implied in the profile name if it's
going to be switched on in the profile defaults. I don't use zstd
myself, I prefer xz or lz4 depending on my purpose. It's on my system
because some things I chose to have required it. It feels un-Gentoo
for me to have zstd around _just because_, which the profile default
would bring into play.

--
Ninpo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 2024-04-08 at 01:22 +0100, Alex Boag-Munroe wrote:

On Sun, 7 Apr 2024 at 22:09, Michael Orlitzky <mjo@gentoo.org> wrote:
<snip>

What I am saying is that I want the freedom to not have things
pointlessly enabled on my systems, because similar problems (and worse) happen all day every day. The less exposure I have, the better. The
liblzma backdoor was timely because it will prevent most people from telling me I'm being paranoid, but it could have been USE=anything on
any other day. Moving the defaults out of the high-level profiles will
give control back to the user, hence my complaint about it.

I agree, to be honest. The spirit of profiles has always felt like it switches on safe/sane defaults that you'd expect for the name (a
desktop plasma profile switches on all the useful desktop USE flags, a
basic profile enables the bare minimum for a bootable system, etc),
giving an expected functionality in the resulting outcome of a
re-merge of world.

Precisely.

Outside of this, preferred compression tools, preferred editors
etc...should be up to the user, or implied in the profile name if it's
going to be switched on in the profile defaults. I don't use zstd
myself, I prefer xz or lz4 depending on my purpose. It's on my system
because some things I chose to have required it. It feels un-Gentoo
for me to have zstd around _just because_, which the profile default
would bring into play.

It's not a "preferred compression tool". "Preferred compression tool"
is selected via adding the package to your @world set. The flag is used
for enable specific functionality on packages. This function may be
limited to being able to optionally compress something. But it could
e.g. also be responsible for being able to, say, open a specific file
format (and I'm not talking of explicitly .xz compressed files)
or a database, or receive proper interoperability elsewhere.

The cost of enabling support for a compression library that's already
installed by default (because you need it to unpack distfiles) is very
little compared to the cost of suddenly discovering that things don't
work.

--
Best regards,
Michał Górny


-----BEGIN PGP SIGNATURE-----

iQFGBAABCgAwFiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAmYTX2ASHG1nb3JueUBn ZW50b28ub3JnAAoJEGOa2uIyniQOyt8IALv1woRMPLnEJ5L6tZUEHH7HNBjD/Ya+ tq5GMazU3eF8mZuGN3nncCk+ld4t2qQgPak/Nt5P0RfLD37+ikSlakoHkNK30QP/ g/BJY2U1uusioKtDI9G4xU1pkbAMqdBYo1lx0CDl5xHn3qoe45Of+IQW+/b52tdp hyPMV7NTpm7fOtDU6s2AlpwRc/eOMNIh9z2kvEccMn/7sNipHJt8HBaLUETMcj+g ANJUWfv+M1K5kM7AC+XzJ2Gz22Fn7/5PVryG0k4lgNk+8s3ee3dLXQZBG65pLYin qKInihKzoetAiFsTeFKe1Kvdb7EMGP+IcB5PLaDDlDzkbtmaftO6k3c=
=oM9P
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Michael Orlitzky wrote:

On Sun, 2024-04-07 at 15:07 +0200, Andreas K. Huettel wrote:

tl;dr can we turn them back off in the profile? In any scenario where
they are beneficial, there's a better place to put them.

Easily doable with lzma, if there is consensus for it.

Slightly more complex for zstd since this affects gcc and binutils.
Still doable though.

Thanks:

* https://bugs.gentoo.org/928932
* https://bugs.gentoo.org/928933

I know this thread is only for people actually involved in Gentoo
decision making, but I'll add my 2c anyway.

I'm sure nobody is surprised that I support Michael Orlitzky here 100%.

My personal "dream" is to have a Gentoo in the future where *all*
compression is optional, only enabled by those who want it, not forced
on anybody.

In my opinion the importance of compression in general diminishes every
year that goes by as naturally the trend in storage space has to be that
it increases. So compression will increasingly become a) an extra
undesirable security risk (it's quite complex to write and maintain
which only increases rather than decreases the likelihood of security
issues) and b) a cpu cycle waster (cpu resources will likely remain more precious than storage).

I'd love to eventually see a Gentoo where most upstream source is pulled
in untouched and uncompressed by default and if people want compression
they can enable it. So I would hope that as each new profile release
comes, Gentoo becomes less chained to any particular compression
libraries than it was before, not more. But I'm aware this is
unrealistic today from the pov of Gentoo infra. Still, I'm allowed to
dream right?

P.S. This is not a demand, just 2c, and yes, I do know ultimately the
ones who role their sleeves up and submit patches will decide these things.

Eddie

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)