On Mon, Apr 8, 2013 at 9:29 AM, Chí-Thanh Christopher Nguyễn <[email protected]> wrote: > Mike Gilbert schrieb: >>> After recent changes in dev-lang/v8 and related ebuilds, the pax-mark call >>> no >>> longer has a || die. This means that the resulting binaries may have PT_PAX, >>> XATTR_PAX, both or neither markings depending on kernel configuration, >>> filesystem and mount options. >>> >>> I'd say that is not a good thing. If you agree with me, what could be done >>> here? Have pax-mark die in the eclass or mandate || die in ebuilds? This >>> would probably require pax-mark calls to be conditional on pax_kernel USE >>> flag or similar. >>> >> Most ebuilds do not call pax-mark || die. Most people do not run PaX >> systems, so a failure here is not a major issue. > > I agree that not having the pax-mark is not a significant problem > currently. It could become one when PaX becomes more widespread, but > that is not likely in the near term. > > What I think is bad is the automagic aspect of enabling pax-mark. > > > Best regards, > Chí-Thanh Christopher Nguyễn > >
I had some issues with pax-mark failling to work on openvz containers stored on partitions mounted without the user_xattr argument and ebuilds with '|| die', and was going to open bugs to people remove the '|| die' statements from the ebuilds, when I saw this thread. Disable xattr isn't a very common use case, but it is still valid. I don't want to have my builds falling at install phase just because the binary can't be pax-mark'ed, when I clearly don't care about PaX. If we don't want the automagic behavior, we should allow users to explicitly disable it. -- Rafael Goncalves Martins Gentoo Linux developer http://rafaelmartins.eng.br/
