All three features should be mature enough to be enabled by default.
CGroups provide better tracking for ebuild processes, while the two
sandboxes improve security through restricting IPC & network access for
build-only phases.
All the features degrade gracefully when the relevant kernel features
are not available.
---
cnf/make.globals | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/cnf/make.globals b/cnf/make.globals
index dd99618..2d93e9d 100644
--- a/cnf/make.globals
+++ b/cnf/make.globals
@@ -50,9 +50,10 @@ RESUMECOMMAND_SSH=${FETCHCOMMAND_SSH}
FETCHCOMMAND_SFTP="bash -c \"x=\\\${2#sftp://} ; host=\\\${x%%/*} ;
port=\\\${host##*:} ; host=\\\${host%:*} ; [[ \\\${host} = \\\${port} ]] &&
port=22 ; eval \\\"declare -a ssh_opts=(\\\${3})\\\" ; exec sftp -P \\\${port}
\\\"\\\${ssh_opts[@]}\\\" \\\"\\\${host}:/\\\${x#*/}\\\" \\\"\\\$1\\\"\" sftp
\"\${DISTDIR}/\${FILE}\" \"\${URI}\" \"\${PORTAGE_SSH_OPTS}\""
# Default user options
-FEATURES="assume-digests binpkg-logs
+FEATURES="assume-digests binpkg-logs cgroup
config-protect-if-modified distlocks ebuild-locks
- fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned
+ fixlafiles ipc-sandbox merge-sync network-sandbox
+ news parallel-fetch preserve-libs protect-owned
sandbox sfperms strict unknown-features-warn unmerge-logs
unmerge-orphans userfetch userpriv usersandbox usersync"
--
2.3.5
