[gentoo-portage-dev] Re: [PATCH v2] doebuild.py: Override network-sandbox in unpack only for live ebuilds (was: Re: [PATCH] Support PROPERTIES="live")
On 7/29/19 3:28 PM, Ulrich Mueller wrote:
>> On Mon, 29 Jul 2019, Zac Medico wrote:
>
>> This will enable network-sandbox for all of _networked_phases, but
>> Michał only suggested to do it for src_unpack.
>
> Right. Patch v2 below.
>
>
> From 6e929fac0a3f5f0bcfe85152c0931cb20d579881 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Ulrich=20M=C3=BCller?=
> Date: Mon, 29 Jul 2019 14:22:57 +0200
> Subject: [PATCH] doebuild.py: Override network-sandbox in unpack only for live
> ebuilds.
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> Suggested-by: Michał Górny
> Signed-off-by: Ulrich Müller
> ---
> lib/portage/package/ebuild/doebuild.py | 11 +++
> 1 file changed, 3 insertions(+), 8 deletions(-)
>
> diff --git a/lib/portage/package/ebuild/doebuild.py
> b/lib/portage/package/ebuild/doebuild.py
> index 67867d33e..6f980f87d 100644
> --- a/lib/portage/package/ebuild/doebuild.py
> +++ b/lib/portage/package/ebuild/doebuild.py
> @@ -115,13 +115,6 @@ _ipc_phases = frozenset([
> _global_pid_phases = frozenset([
> 'config', 'depend', 'preinst', 'prerm', 'postinst', 'postrm'])
>
> -# phases in which networking access is allowed
> -_networked_phases = frozenset([
> - # for VCS fetching
> - "unpack",
> - # + for network-bound IPC
> -] + list(_ipc_phases))
> -
> _phase_func_map = {
> "config": "pkg_config",
> "setup": "pkg_setup",
> @@ -156,7 +149,9 @@ def _doebuild_spawn(phase, settings, actionmap=None,
> **kwargs):
> phase in _ipc_phases
> kwargs['mountns'] = 'mount-sandbox' in settings.features
> kwargs['networked'] = 'network-sandbox' not in settings.features or \
> - phase in _networked_phases or \
> + (phase == 'unpack' and \
> + 'live' in settings.configdict['pkg'].get('PROPERTIES',
> '').split()) or \
> + phase in _ipc_phases or \
> 'network-sandbox' in settings['PORTAGE_RESTRICT'].split()
> kwargs['pidns'] = ('pid-sandbox' in settings.features and
> phase not in _global_pid_phases)
>
Looks good. Please merge.
--
Thanks,
Zac
signature.asc
Description: OpenPGP digital signature
[gentoo-portage-dev] [PATCH v2] doebuild.py: Override network-sandbox in unpack only for live ebuilds (was: Re: [PATCH] Support PROPERTIES="live")
> On Mon, 29 Jul 2019, Zac Medico wrote:
> This will enable network-sandbox for all of _networked_phases, but
> Michał only suggested to do it for src_unpack.
Right. Patch v2 below.
From 6e929fac0a3f5f0bcfe85152c0931cb20d579881 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20M=C3=BCller?=
Date: Mon, 29 Jul 2019 14:22:57 +0200
Subject: [PATCH] doebuild.py: Override network-sandbox in unpack only for live
ebuilds.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Suggested-by: Michał Górny
Signed-off-by: Ulrich Müller
---
lib/portage/package/ebuild/doebuild.py | 11 +++
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/lib/portage/package/ebuild/doebuild.py
b/lib/portage/package/ebuild/doebuild.py
index 67867d33e..6f980f87d 100644
--- a/lib/portage/package/ebuild/doebuild.py
+++ b/lib/portage/package/ebuild/doebuild.py
@@ -115,13 +115,6 @@ _ipc_phases = frozenset([
_global_pid_phases = frozenset([
'config', 'depend', 'preinst', 'prerm', 'postinst', 'postrm'])
-# phases in which networking access is allowed
-_networked_phases = frozenset([
- # for VCS fetching
- "unpack",
- # + for network-bound IPC
-] + list(_ipc_phases))
-
_phase_func_map = {
"config": "pkg_config",
"setup": "pkg_setup",
@@ -156,7 +149,9 @@ def _doebuild_spawn(phase, settings, actionmap=None,
**kwargs):
phase in _ipc_phases
kwargs['mountns'] = 'mount-sandbox' in settings.features
kwargs['networked'] = 'network-sandbox' not in settings.features or \
- phase in _networked_phases or \
+ (phase == 'unpack' and \
+ 'live' in settings.configdict['pkg'].get('PROPERTIES',
'').split()) or \
+ phase in _ipc_phases or \
'network-sandbox' in settings['PORTAGE_RESTRICT'].split()
kwargs['pidns'] = ('pid-sandbox' in settings.features and
phase not in _global_pid_phases)
--
2.22.0
signature.asc
Description: PGP signature
Re: [gentoo-portage-dev] [PATCH] Support PROPERTIES="live".
On 7/28/19 9:31 PM, Michał Górny wrote: > On Sun, 2019-07-28 at 17:21 -0700, Zac Medico wrote: >> On 7/26/19 3:45 PM, Michał Górny wrote: >>> While at it, could you look into making src_unpack() network-sandbox >>> override apply only to ebuilds with PROPERTIES=live? >> >> There could be another subset of packages that aren't quite "live" but >> they need to fetch something that's immutable which can't be fetched via >> a protocol supported by SRC_URI. Maybe call it >> PROPERTIES="src-fetch-immutable" or something. > > Could you name one of those packages, and explain how are they not > 'live' if they skip checksum verification? I'm really against adding > hundreds of weird-named items for the sake of potential use cases > without a real benefit to it. I don't have any particular package in mind, but it would apply to anything that uses git-r3.eclass with a constant EGIT_COMMIT value, or uses cros-workon.eclass with a constant CROS_WORKON_COMMIT value: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/refs/heads/master/eclass/cros-workon.eclass Anyway, since RESTRICT=network-sandbox and PROPERTIES=live are available, I suppose it's pretty safe to wait and see if there's demand for a different PROPERTIES value. -- Thanks, Zac signature.asc Description: OpenPGP digital signature
Re: [gentoo-portage-dev] [PATCH] Support PROPERTIES="live".
On 7/29/19 5:39 AM, Ulrich Mueller wrote:
>> On Sat, 27 Jul 2019, Michał Górny wrote:
>
>> While at it, could you look into making src_unpack() network-sandbox
>> override apply only to ebuilds with PROPERTIES=live?
>
> I believe the patch included below would do that.
>
> Ulrich
>
>
> From f4ebd25a04d5eb64504724b711b41141723afcd4 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Ulrich=20M=C3=BCller?=
> Date: Mon, 29 Jul 2019 14:22:57 +0200
> Subject: [PATCH] doebuild.py: Override network-sandbox only for live ebuilds.
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> Suggested-by: Michał Górny
> Signed-off-by: Ulrich Müller
> ---
> lib/portage/package/ebuild/doebuild.py | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/portage/package/ebuild/doebuild.py
> b/lib/portage/package/ebuild/doebuild.py
> index 67867d33e..cab838ead 100644
> --- a/lib/portage/package/ebuild/doebuild.py
> +++ b/lib/portage/package/ebuild/doebuild.py
> @@ -156,7 +156,8 @@ def _doebuild_spawn(phase, settings, actionmap=None,
> **kwargs):
> phase in _ipc_phases
> kwargs['mountns'] = 'mount-sandbox' in settings.features
> kwargs['networked'] = 'network-sandbox' not in settings.features or \
> - phase in _networked_phases or \
> + (phase in _networked_phases and \
> + 'live' in settings.configdict['pkg'].get('PROPERTIES',
> '').split()) or \
> 'network-sandbox' in settings['PORTAGE_RESTRICT'].split()
> kwargs['pidns'] = ('pid-sandbox' in settings.features and
> phase not in _global_pid_phases)
>
This will enable network-sandbox for all of _networked_phases, but
Michał only suggested to do it for src_unpack.
--
Thanks,
Zac
signature.asc
Description: OpenPGP digital signature
Re: [gentoo-portage-dev] [PATCH] Support PROPERTIES="live".
> On Sat, 27 Jul 2019, Michał Górny wrote:
> While at it, could you look into making src_unpack() network-sandbox
> override apply only to ebuilds with PROPERTIES=live?
I believe the patch included below would do that.
Ulrich
From f4ebd25a04d5eb64504724b711b41141723afcd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20M=C3=BCller?=
Date: Mon, 29 Jul 2019 14:22:57 +0200
Subject: [PATCH] doebuild.py: Override network-sandbox only for live ebuilds.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Suggested-by: Michał Górny
Signed-off-by: Ulrich Müller
---
lib/portage/package/ebuild/doebuild.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/portage/package/ebuild/doebuild.py
b/lib/portage/package/ebuild/doebuild.py
index 67867d33e..cab838ead 100644
--- a/lib/portage/package/ebuild/doebuild.py
+++ b/lib/portage/package/ebuild/doebuild.py
@@ -156,7 +156,8 @@ def _doebuild_spawn(phase, settings, actionmap=None,
**kwargs):
phase in _ipc_phases
kwargs['mountns'] = 'mount-sandbox' in settings.features
kwargs['networked'] = 'network-sandbox' not in settings.features or \
- phase in _networked_phases or \
+ (phase in _networked_phases and \
+ 'live' in settings.configdict['pkg'].get('PROPERTIES',
'').split()) or \
'network-sandbox' in settings['PORTAGE_RESTRICT'].split()
kwargs['pidns'] = ('pid-sandbox' in settings.features and
phase not in _global_pid_phases)
--
2.22.0
signature.asc
Description: PGP signature
Re: [gentoo-portage-dev] [PATCH] Support PROPERTIES="live".
> On Mon, 29 Jul 2019, Michał Górny wrote: > On Sun, 2019-07-28 at 17:21 -0700, Zac Medico wrote: >> There could be another subset of packages that aren't quite "live" but >> they need to fetch something that's immutable which can't be fetched via >> a protocol supported by SRC_URI. Maybe call it >> PROPERTIES="src-fetch-immutable" or something. > Could you name one of those packages, and explain how are they not > 'live' if they skip checksum verification? I'm really against adding > hundreds of weird-named items for the sake of potential use cases > without a real benefit to it. +1 signature.asc Description: PGP signature
