Re: [gentoo-dev] We need *you* for a USE=selinux dependency
El dom, 04-12-2011 a las 17:53 -0500, Mike Frysinger escribió: On Sunday 04 December 2011 15:35:50 Sven Vermeulen wrote: Since there are quite a few packages that would need updates, I thought about first mailing gentoo-dev for feedback and perhaps a first chunk of work done. I also wouldn't mind creating bugreports for each of them, but that would still be best done after having mailed gentoo-dev ;-) i generally don't want to see bug reports that say please add IUSE=selinux to XXX package and add 'selinux? ( sec-policy/selinux-XXX )' to *DEPEND. if selinux wants policies pulled in by packages based on USE=selinux, and that's the only change needed, then feel free to commit the change yourself for any toolchain / base-system / vapier package. probably easiest to skip the revbump and just commit to existing packages since selinux has been deadish for quite sometime :P. I fully agree with Mike here, feel free to change it in packages maintained by me (I have seen bluez ;)) games-board/aisleriot sec-policy/selinux-games i don't see why this game is singled out. if you have a selinux policy for all games, then it sounds like we should add this logic to games.eclass. net-im/climm sec-policy/selinux-games you sure about that one ? this isn't a game (unless you count all forms of IM a game :p). and yes, this list really really should have been sent through `sort` -mike signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] sources.gentoo.org instability
Seriously, what do we gain from crawlers accessing sources.gentoo.org? I cant really remember seeing it once in a google query result... Possibly it would not even be required to deny all requests, but just deny everything related to ancient history... Hello, For a while sources.gentoo.org has been puttering along and its health has slowly declined. We migrated it to some newer shiny hardware in an attempt to mitigate the problem but that did not pan out. 90% (or more) of sources.gentoo.org traffic is crawler bots and not actual humans. That being said; if we cannot serve requests to the bots within our timeouts we serve 500's instead which is never really what we want (particularly when we spent 20s of CPU to calculate 80% of the response only to see the client timeout :/.) The majority of the expensive requests are related to package.mask and use.local.desc queries by crawlers. Like crawling the entire 13000 rev history for package.mask (or similar.) While it is likely we will monkey patch viewvc to be less wasteful; in the meantime I have removed use.local.desc from sources.gentoo.org (and also anoncvs, because they share the same repo.) I hope this is a short term (order of weeks) hack. -A -- Andreas K. Huettel Gentoo Linux developer kde, sci, arm, tex, printing
Re: [gentoo-dev] We need *you* for a USE=selinux dependency
On Sun, 4 Dec 2011 22:10:19 -0500 Rich Freeman ri...@gentoo.org wrote: In this particular case the approved PMS says In the pkg phases, at least one of the following conditions must be met: any command provided by a packaged listed in DEPEND is available; any command provided by a packaged listed in RDEPEND is available. Yeah, that's a screwup that's been discussed at length. It shouldn't be giving you any guarantees at all for pkg_*, since RDEPEND-RDEPEND cycles need to be breakable (there are lots of them in the tree). The fix is likely going to be an IDEPEND or something along those lines in the next EAPI. -- Ciaran McCreesh signature.asc Description: PGP signature
Re: [gentoo-dev] sources.gentoo.org instability
On Mon, Dec 5, 2011 at 3:48 AM, Andreas K. Huettel dilfri...@gentoo.org wrote: Seriously, what do we gain from crawlers accessing sources.gentoo.org? I cant really remember seeing it once in a google query result... We want the site searchable. Possibly it would not even be required to deny all requests, but just deny everything related to ancient history... Hello, For a while sources.gentoo.org has been puttering along and its health has slowly declined. We migrated it to some newer shiny hardware in an attempt to mitigate the problem but that did not pan out. 90% (or more) of sources.gentoo.org traffic is crawler bots and not actual humans. That being said; if we cannot serve requests to the bots within our timeouts we serve 500's instead which is never really what we want (particularly when we spent 20s of CPU to calculate 80% of the response only to see the client timeout :/.) The majority of the expensive requests are related to package.mask and use.local.desc queries by crawlers. Like crawling the entire 13000 rev history for package.mask (or similar.) While it is likely we will monkey patch viewvc to be less wasteful; in the meantime I have removed use.local.desc from sources.gentoo.org (and also anoncvs, because they share the same repo.) I hope this is a short term (order of weeks) hack. -A -- Andreas K. Huettel Gentoo Linux developer kde, sci, arm, tex, printing
Re: [gentoo-dev] We need *you* for a USE=selinux dependency
On Mon, Dec 05, 2011 at 08:54:13AM +0100, Paweł Hajdan, Jr. wrote: In Gentoo, unlike some other distributions, we try to keep the number of loaded/installed modules to a minimum so that policy rebuilds as well as the system overhead is limited. This results in a base policy (provided by selinux-base-policy) and modules (provided by sec-policy/selinux-modulename). To make sure that installations of a package pull in the right SELinux module, the proper dependencies must be defined. Are you sure this is right choice? It seems to me that it'd be better to focus no making things work, and increasing the complexity of the deps makes this harder (and increasing the number of packages you maintain too). Unless you have _abundant_ resources to deal with that, I'd like to discourage you from handling policies that way. For end users, this is much more enjoyable. If we load up all policies, then any interaction with the SELinux policies will take some time. Also, all policies in memory do take up some space. Finally, for development purposes, this is very much enjoyable as well, since it allows for much faster policy development (rebuild policies in seconds to minutes rather than dozen of minutes). Maintenance is actually pretty easy. The eclass we use provides us with a very easy interface to add modules, and because it is a module per ebuild, we can push changes on individual modules without pushing full policy builds again. Furthermore, imagine I'm adding a new package foo that is covered by the SELinux policy. Most developers don't use SELinux (hey, I suspect most of them don't even use developer profile; bad, bad!). How do I know whether it's sec-policy/selinux-foo that's not yet added or sec-policy/selinux-games or something else... If the complete policy is in one package, this should be obvious, and we don't even need deps for that. I know. This is one major hurdle that we need to take on. Using dependencies is the easiest approach, albeit the most resource intensive one (initially, that is). I don't mind having the dependencies added as we go. For our end users, we already documented that missing modules are to be expected and how to resolve it. As said by other devs here, I also think it'd be more effective if you just do the change yourself. USE=selinux doesn't affect anything else so it's safe. Ok, no problem. I'll check on IRC regardless, if not just to give a heads up on changes. Also, my apologies for not sorting the list. Careful readers will notice it is sorted, but by the package name, not category :/ Thanks you all for the feedback! Wkr, Sven Vermeulen
Re: [gentoo-dev] So now that we have --quiet-build as default, can we talk about a forced LC_MESSAGES=C again?
Rich Freeman schrieb: Can we just translate the error messages? That seems pretty impractical to me. Google Translate is about your only option here, Actually the translation already exists in /usr/share/locale/ and just needs to be looked up, so it appears not entirely impractical. Still, probably not worth the effort. Best regards, Chí-Thanh Christopher Nguyễn
Re: [gentoo-dev] sources.gentoo.org instability
Alec Warner schrieb:
Seriously, what do we gain from crawlers accessing sources.gentoo.org? I
cant
really remember seeing it once in a google query result...
We want the site searchable.
The majority of the expensive requests are related to package.mask and
use.local.desc queries by crawlers. Like crawling the entire 13000 rev
history for package.mask (or similar.)
Would it be feasible to use mod_rewrite to direct the most expensive
requests to a static copy, which is re-generated every
${REASONABLE_TIMEFRAME}?
Best regards,
Chí-Thanh Christopher Nguyễn
