Re: [gentoo-dev] Last rites: net-misc/dhcpv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 15 Jul 2011 10:59:29 +0300 Markos Chandras wrote: > >> # Markos Chandras (10 Jul 2011) > >> # Dead upstream. Bugs #353788 and #348232 > >> # Alternatives: > >> # net-misc/dibbler > >> # net-misc/dhcp[ipv6] > >> # Masked for removal in 30 days > >> net-misc/dhcpv6 > > > > Not cool. For a few reasons: > > > > 1. I had to delete significant sections of the ipv6 guide tonight, > > since there's no documentation for these alternatives. Now there's > > nothing on running an ipv6 dhcp server or client. > > Which documentation are you referring to? Sorry; meant to include the URI: http://www.gentoo.org/doc/en/ipv6.xml > dhcpv6 has no stable keywords Really? I thought it did. Then that's something the GDP should have noticed when we initially added that section to the guide. > True. I was to request stabilization as well. Thanks. > I can keep this package in the tree long enough until there is an > alternative documentation available. My point is not to frustrate > users but to "force" them migrate to better alternatives. Moreover, > remember that the dhcpv6 upstream is dead and dhcp[ipv6] is the > official alternative. I don't quite see the point in supporting > dhcpv6 anymore. I don't like the idea of keeping a dead package around, either. My main issue is that there's no documentation on using ipv6 configs with net-misc/dhcp, so I have nothing to add to the guide. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk4g0A8ACgkQxPWMzpKk6kO19wCbBQBO9iJlWguLcysqTb5ULLv1 DK4AnjVRCrOWE3eHSuBnPtUOuWmZgCKR =UTmL -END PGP SIGNATURE-
Re: [gentoo-dev] RFC: Disambiguation of "hardened" use flag and proposal for a new global flag "pax_kernel"
On 07/15/2011 02:44 AM, Michał Górny wrote:
> On Thu, 14 Jul 2011 19:19:11 -0400
> Mike Frysinger wrote:
>
>>> 3) Since a hardened kernel can be configure with various flavors of
>>> "pax" or "grsec" or "selinux", there should be useflags to reflect
>>> userland needs to conform. There already is a "selinux" flag which
>>> is set by selinux profiles. Currently we don't see a need for a
>>> "grsec" flag, however, there is a need for a "pax" global use flag
>>> which we propose calling "pax_kernel". (If nothing else to
>>> distinguish it from app-arch/pax.)
>>>
>>> Userland binaries which will run under a pax enabled kernel may need
>>> special treatment to run, or else they'll be killed by the kernel.
>>> The best example here is an RWX mmapping. Although the ideal case
>>> is to "fix the code" this is not always feasible and so binaries
>>> will still need markings with paxctl -m.
>> if `paxctl` is installed, then i say always run `paxctl` on the
>> problematic binaries regardless of USE flags. have the
>> hardened-sources package depend on paxctl, and then that takes care
>> of the dependency. -mike
> Do we support migrating existing systems to hardened? If so, then this
> solution will leave users with a need to manually remerge pax-setting
> packages. Though, I guess, it's pretty easy to grab that package list
> on pax-utils.eclass inherit.
>
That could be a workable solution and would avoid the extra global flag,
but there is a glitch --- see below. This can work because all gentoo
binaries are built with the needed ELF program header (PT_PAX) anyhow,
whether they're run under a non-hardened or pax-hardened kernel. We can
mark them where needed as if they were going to be run under a
pax-hardened kernel, and if they're run under a non-hardened kernel, the
header is ignored and no harm done.
We do support "migration to hardened" but that means migrating to
"hardened toolchain + resulting hardened binaries". You cannot avoid an
emerge world there. "Migrating to a hardened kernel" would mean nothing
more than compiling hardened-sources and rebooting. If the binaries are
correctly marked when they were first built, the user should be okay
without re-emerging anything.
So, here's the glitch. For example, in dev-lang/mono, following the
above plan, we would drop the "hardened" flag, remove
DEPEND=" ... hardened? ( sys-apps/paxctl )"
and replace
if use hardened ; then
ewarn "We are disabling MPROTECT on the mono binary."
sed '/exec/ i\paxctl -mr "$r/@mono_runtime@"' -i
"${S}"/runtime/mono-wrapper.in
fi
with just
ewarn "We are disabling MPROTECT on the mono binary."
sed '/exec/ i\paxctl -mr "$r/@mono_runtime@"' -i
"${S}"/runtime/mono-wrapper.in
But this assumes that paxctl is on the user's system which is not
guaranteed unless the users has emerged hardened-sources (which will
depend on paxctl). scanelf would have to be the replacement in such
cases because it is guaranteed to be there by the profiles.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
Re: [gentoo-dev] Last rites: net-misc/dhcpv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 15/07/2011 09:02 πμ, Joshua Saddler wrote: > On Sun, 10 Jul 2011 19:05:42 +0300 > Markos Chandras wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA512 > >> # Markos Chandras (10 Jul 2011) >> # Dead upstream. Bugs #353788 and #348232 >> # Alternatives: >> # net-misc/dibbler >> # net-misc/dhcp[ipv6] >> # Masked for removal in 30 days >> net-misc/dhcpv6 > > Not cool. For a few reasons: > > 1. I had to delete significant sections of the ipv6 guide tonight, > since there's no documentation for these alternatives. Now there's > nothing on running an ipv6 dhcp server or client. Which documentation are you referring to? > > 2. There are no more stable dhcp/ipv6 packages in the tree. This > sucks, both for users that run stable, and for the documentation, > since we're only supposed to cover stable packages. dhcpv6 has no stable keywords > > - net-misc/dhcp doesn't get +ipv6 unless you emerge the ~arch version > 4.x, and even then, there is NO documentation included on how to use > it with ipv6. https://bugs.gentoo.org/show_bug.cgi?id=374445 > > - net-misc/dibbler only has ~arch and hardmasked versions available. > True. I was to request stabilization as well. > Can anyone lend the GDP a hand and get us a couple of paragraphs on > how to configure a dhcp/ipv6 server and client, similar to what we > had in the guide? Ideally with a stable package, or maybe the > maintainers could stabilize their ~arch alternatives. > > I hate to use Markos' Last Rites email as a jumping off point, but > it's these kinds of removals, the kind that shaft our users and > documentation maintainers, that make me throw up my hands in > frustration and take another step toward retirement. Markos, I'm not > singling you out; this has been going on for a long time now, with > many, many current and former developers: package maintainers > almost *never* look at the docs or contact the GDP when going through > package removals. I would like this to change. :) I can keep this package in the tree long enough until there is an alternative documentation available. My point is not to frustrate users but to "force" them migrate to better alternatives. Moreover, remember that the dhcpv6 upstream is dead and dhcp[ipv6] is the official alternative. I don't quite see the point in supporting dhcpv6 anymore. - -- Regards, Markos Chandras / Gentoo Linux Developer / Key ID: B4AFF2C2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAEBCgAGBQJOH/NhAAoJEPqDWhW0r/LCrrAP/1h0yqedCmL7X0oWI3aIQ+tE bf5HQvnEaj+Fl4GfTYovpa2r6rHNpbVPtzEKYbb6vPpB2/RW54KErEp4fpyYE2K3 WdZVVHfQSeLcLaD+T2CCNSB/bglLdLg8kIKvN18xzM/5s2gfhXR7SBL9CQC7Mw3z +fY6T42yrWkRXGzwNRJ7bm6UKZftIU2PJDymIJhC3H0BZC8ExCFB2ddQmL07BHlU /bvJZ/TWpp5xkvKVyvXdN51wS6POQR20e/EzjK+BmvpiCfhCGi3+/lKVt462EP+f QJM/lvQpz0Zth7Qt/rxbfsSC2KsRup21Ni8yIe+GHH6zPUajo4lgcpHDSmkwI3NI bU5KcDRDHrtC5zaELgGpISWsfQUTVrQWJm55TFvM3Imoh2vIFruVwYhiLCb0gz2w 3IrE7Ch4Ct+XKglp0/2HvoJeK38faEO7G4cPJM55RiPjrHlpva/4ZCHLLW5rjLzc rI4PBAoa2N/RczBy6RIPy59zJjT+8uq1nbrhjmzNKRw6ljGbGiQdoyPGxGiQZqRV DQaJ2xj0ltT1Dc87kA/OCLA+jeDLGmazGOugagWkJpYgA6f0vukGl7njCyi04nuv mHRFYSllbXoHiZwLkd/Y5lKRw0YQOuXGpiOlFnuhpk7ijAe0dZAZqhzpSziy42Ga jzGEKHAiVOB5fCpSgLht =6VVs -END PGP SIGNATURE-
