On Thu, Nov 05, 2015 at 02:32:57PM GMT, Stuart Henderson wrote: > yay/nay?
Personally, I think that parts of faq15 should simply be removed and replaced with links to faq/ports - especially since some of it is nearly identical. Is there any reason why information is duplicated here? I hadn't had a chance to compile a diff yet, though - lack of time ATM. In terms of USE_SYSTRACE, yes - given that this breaks build on some ports, removing it makes sense IMO. Regards, Raf > Index: faq15.html > =================================================================== > RCS file: /cvs/www/faq/faq15.html,v > retrieving revision 1.114 > diff -u -p -r1.114 faq15.html > --- faq15.html 2 Nov 2015 03:35:44 -0000 1.114 > +++ faq15.html 5 Nov 2015 14:26:10 -0000 > @@ -849,8 +849,8 @@ Because the OpenBSD project does not hav > the source code of all software in the ports tree, you can configure the > ports system to take a few safety precautions. > The ports infrastructure is able to perform all building as a regular user, > -and perform only those steps that require superuser privileges as root. > -Examples are the <tt>fake</tt> and <tt>install</tt> make targets. > +and perform only those steps that require superuser privileges as root, for > +example the <tt>install</tt> make target. > However, because root privileges are always required at some point, > the ports system will not save you when you decide to build a malicious > application. > @@ -879,9 +879,8 @@ This requires granting three permissions > by adding the following line to to > <a > href="http://www.openbsd.org/cgi-bin/man.cgi?query=mk.conf&sektion=5";>mk.conf(5)</a>: > <blockquote><pre> > - SUDO=/usr/bin/doas > - </pre></blockquote> > - </ul> > + SUDO=/usr/bin/doas</pre> > + </blockquote></ul> > > <li>You can modify the ownerships of the ports tree so that you can write > there as a regular user. > @@ -892,20 +891,6 @@ underlying directories are made group wr > # <b>chgrp -R wsrc /usr/ports</b> > # <b>find /usr/ports -type d -exec chmod g+w {} \;</b> > </pre></blockquote> > - > -<li>You can have the ports system use > -<a > href="http://www.openbsd.org/cgi-bin/man.cgi?query=systrace&sektion=1";>systrace(1)</a> > -by adding the following to <tt>/etc/mk.conf</tt> > - > -<blockquote><pre> > -USE_SYSTRACE=Yes > -</pre></blockquote> > - > -This enforces the build procedure to stay inside allowed directories, and > -prohibits writing in illegal places, thereby considerably reducing the risk > -of a damaged system. > -Note that the use of systrace(1) adds about 20% overhead in build time. > - > </ul> > > <p> >
