Re: [gentoo-dev] glibc: pt_chown setuid going away by default

2013-04-12 Thread Maxim Kammerer 
On Wed, Apr 10, 2013 at 8:15 AM, Mike Frysinger vap...@gentoo.org wrote:
 i plan on updating the latest glibc to add USE=suid.  in pkg_preinst and
 ROOT==/, the ebuild will read /proc/mounts for a devpts line with gid=5.  if
 it doesn't find one, i'll have it call `die`.

What about chroot builds? I have /dev/pts bind-mounted from the (old)
host filesystem into chroot, yet pt_chown has its suid bit happily
disabled in deployed build since long time ago.

--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte

[gentoo-dev] Re: [RFC] Establishing Gentoo patch policy to keep our patches consistent and clean

2013-04-12 Thread Steven J. Long 
On Mon, Apr 08, 2013 at 12:30:08AM +1000, Michael Palimaka wrote:
 On 7/04/2013 16:53, Kacper Kowalik wrote:
  On 06.04.2013 20:08, Michał Górny wrote:
  As far as I'm aware, we don't really have much of a patch maintenance
  policy in Gentoo. There a few loose rules like «don't put awfully big
  files into FILESDIR» or the common sense «use unified diff», but no
  complete and clear policy.

As soon as I saw this I thought of the same clean-patches doc as Kacper.

 1-4 are basically about making patches work better in the automated ebuild
framework, and I heartily agree (when it does not entail modifying 'upstream'
or rather imported patches; shared with other distros in particular.) Your
other post made a lot of sense (with the glob restriction.)

  5. The patch name shall shortly summarize the changes done by it.
 
  6. Patch files shall start with a brief description of what the patch
  does. Developers are encouraged to use git-style tags like 'Fixes:' to
  point to the relevant bug URIs.
 
  7. Patch combining is discouraged. Developers shall prefer multiple
  patches following either the upstream commits or a logical commit
  sequence (if changes are not committed upstream).
 
  The above-listed policy will apply to the patches kept in the gx86 tree
  (in FILESDIRs) and patch archives created by Gentoo developers. They
  will not apply to the patch archives created upstream.
 

 Patches in FILESDIR are often those imported from and shared with other
distros.

  there's at least one guideline written by the Ancient Ones that I know
  [1] It roughly follows the ideas that you've described. I think it'd be
  enough if people read it and used as a suggestion not a strict ruling.
  Imposing things like lexical order or git-style heading is a bit too
  much for me
 
  Do we really need rules for everything?
 
  Cheers,
  Kacper
 
  [1] http://dev.gentoo.org/~vapier/clean-patches
 
 
 We already have policy regarding patches[1], this just expands and 
 formalises it a bit more.

 Trouble is it's got a lot less meat than vapier's doc. If you're expanding
and formalising it's a good opportunity to add more relevant info, as well
as the formalities that will make EAPI-6 patching cleaner.
 
 vapier's clean-patches document is an informative read, but I don't 
 think devspace is a good method of disseminating of information that may 
 not necessarily reflect the reality of the project.

So why not just merge vapiers work into the devmanual, along with updated
info to deal with newer git style tags? ATM the devmanual is woefully thin
in comparison; it should be more prescriptive, along with the reasons, just
like vapier wrote it the first time around (I actually link people to
vapier's doc on IRC, but I'd never link them to the current devmanual as it
has little tutorial content for a beginner, just some basic info mostly
Gentoo-specific.)

Sure, you can make the language a bit nicer, but really before you push policy
there needs to be best practice info in place first (and that usually means
content with wider development context, like the clean-patches doc.)

Regards,
steveL. 
-- 
#friendly-coders -- Where everybody knows your nick ;-)

Re: [gentoo-dev] glibc: pt_chown setuid going away by default

2013-04-12 Thread Mike Frysinger 
On Friday 12 April 2013 02:50:20 Maxim Kammerer wrote:
 On Wed, Apr 10, 2013 at 8:15 AM, Mike Frysinger vap...@gentoo.org wrote:
  i plan on updating the latest glibc to add USE=suid.  in pkg_preinst and
  ROOT==/, the ebuild will read /proc/mounts for a devpts line with gid=5. 
  if it doesn't find one, i'll have it call `die`.
 
 What about chroot builds? I have /dev/pts bind-mounted from the (old)
 host filesystem into chroot, yet pt_chown has its suid bit happily
 disabled in deployed build since long time ago.

i don't know what you mean.  if the ebuild detects devpts being mounted and 
the mount is incorrect, it will die.  if you don't have devpts mounted at all, 
then it assumes you know what you're doing.
-mike


signature.asc
Description: This is a digitally signed message part.

[gentoo-dev] Binary package dependencies for sub-slot-less EAPIs

2013-04-12 Thread W. Trevor King 
Over on #gentoo-releng and in gentoo-catalyst@ we've been running into
binary package dependency problems [1].  Before EAPI-5 and sub-slots,
the version of dependency packages is not recorded in the binary
package metadata (the Packages file).  For example, a binary package
for GCC built against mpc-0.8.2 will link to libmpc.so.2.  If you
install that package on a system that only has mpc-1.0.1 (and thus,
libmpc.so.3), your cc1 will crash because libmpc.so.2 is missing.
What we need is a way to track ABI sub-slot dependencies for all
packages, even those that currently use EAPI-0.

My initial idea was to store a fake EAPI-5-style sub-slot information
in the binary package metadata, but further discussion on
#gentoo-portage pointed me at the toolchain folks:

  10:33  zmedico dol-sen: wouldn't it be easier to just migrate
  those pkgs to EAPI 5 + slot-operator?
  10:34 * zmedico doesn't feel like doing extra work when EAPI 5
  already does everything we need
  …
  11:16  Tommy[D]_ Zero_Chaos: my suggestion: ask the toolchain guys
  about their preferred way (like updating existing eclass,
  using a new eclass, moving code into ebuilds) and when you
  got that, do the needed work, including an EAPI-5 version of
  toolchain ebuilds

I looked in bugzilla for requests to update the toolchain EAPIs, but
didn't find anything [2].  I don't want to bother people if the issue
had already been hashed out, and searching on Gmane turned up the
“[RFC] Drop EAPI=0 requirement for system packages.” thread from last
October [3].  This early comment from Rich seemed to summarize the
anti-EAPI-bump camp:

On Wed, Oct 17, 2012 at 03:00:12PM -0400, Rich Freeman wrote:
 A policy that says all new ebuilds shall use EAPI foo might result in
 fewer new ebuilds.  Sure, they'll have new and shiny fooness, but
 arguably I'd rather have more packages supported on older EAPIs then
 fewer packages supported on newer ones.
 
 Again, as I stated before, things that actually benefit the end users
 like slot dependencies are fine to mandate when it makes sense to do
 so.

In other words, “Why force folks to do this if there is no benefit?”.
This is understandable, but I think the broken binary packages [1] are
enough of a visible benefit.  The thread suggested filing bugs for
bumping effected packages, but for this issue “effected packages” is
“anything you might want to distribute as a binary package that uses
something without EAPI-5 sub-slots” [4].  I'm happy to start filing
bugs, but that doesn't strike me as the most productive way forward.

If anyone can think of other solutions besides tweaking Portage or
bumping a bunch of package EAPIs, I'd be happy to hear them ;).
Otherwise I'd be happy to hear suggestions about moving forward on at
least one of those fronts.  Since I seem to be the most bothered by
this issue, it's only fair that I help with the itch scratching.  I
just need a roadmap from the folks with commit access so I can start
chipping away at whichever solution y'all think looks most appealing
;).

Cheers,
Trevor

[1]: http://thread.gmane.org/gmane.linux.gentoo.catalyst/2137/focus=2237
[2]: 
https://bugs.gentoo.org/buglist.cgi?short_desc=EAPIresolution=---query_format=advancedbug_status=UNCONFIRMEDbug_status=CONFIRMEDbug_status=IN_PROGRESSbug_status=RESOLVEDbug_status=VERIFIEDshort_desc_type=allwordssubstrcomponent=Core%20systemcomponent=Developmentcomponent=Core%20systemcomponent=Developmentproduct=Gentoo%20Linux
[3]: http://thread.gmane.org/gmane.linux.gentoo.devel/80705
[4]: Although on the catalyst side, only @system is really important.



-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] glibc: pt_chown setuid going away by default

2013-04-12 Thread Maxim Kammerer 
On Fri, Apr 12, 2013 at 7:22 PM, Mike Frysinger vap...@gentoo.org wrote:
 i don't know what you mean.  if the ebuild detects devpts being mounted and
 the mount is incorrect, it will die.  if you don't have devpts mounted at all,
 then it assumes you know what you're doing.

What I am saying is that you make no distinction between build
environment and deployment environment. Quite a few users build their
Gentoo systems in a chroot. In that case, whole /dev, or its portions
(including /dev/pts) can be bind-mounts from the host filesystem, and
/dev/pts does not need to have the correct permissions. However, you
*would* see such a bind-mount as a devpts mount in /proc/mounts. So
why not print a warning — what's the point of dying in pkg_preinst?

--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte

Re: [gentoo-dev] Binary package dependencies for sub-slot-less EAPIs

2013-04-12 Thread Rich Freeman 
On Fri, Apr 12, 2013 at 12:25 PM, W. Trevor King wk...@tremily.us wrote:
 In other words, “Why force folks to do this if there is no benefit?”.
 This is understandable, but I think the broken binary packages [1] are
 enough of a visible benefit.

I certainly agree.  As I bump my own packages I'll certainly be
looking for opportunities to use slot operator dependencies and will
certainly bump to EAPI5 when I find them, and if somebody were to
state that EAPI6 was going to make the lives of binary package users
much better I'd be all for pushing to get everything onto EAPI6.

My only concern was to let the actual benefits be the driver.

Rich

Re: [gentoo-dev] glibc: pt_chown setuid going away by default

2013-04-12 Thread Mike Gilbert 
On Fri, Apr 12, 2013 at 1:20 PM, Maxim Kammerer m...@dee.su wrote:
 On Fri, Apr 12, 2013 at 7:22 PM, Mike Frysinger vap...@gentoo.org wrote:
 i don't know what you mean.  if the ebuild detects devpts being mounted and
 the mount is incorrect, it will die.  if you don't have devpts mounted at 
 all,
 then it assumes you know what you're doing.

 What I am saying is that you make no distinction between build
 environment and deployment environment. Quite a few users build their
 Gentoo systems in a chroot. In that case, whole /dev, or its portions
 (including /dev/pts) can be bind-mounts from the host filesystem, and
 /dev/pts does not need to have the correct permissions. However, you
 *would* see such a bind-mount as a devpts mount in /proc/mounts. So
 why not print a warning — what's the point of dying in pkg_preinst?


Do you have a reason for not having /dev/pts mounted with gid=5 on the
system hosting the chroot environment?

Calling die is much more likely to save users systems than an ewarn.

Re: [gentoo-dev] glibc: pt_chown setuid going away by default

2013-04-12 Thread James Cloos 
 MF == Mike Frysinger vap...@gentoo.org writes:

 It will impact everyone who has /dev/pts in fstab(5).

MF don't do that.

*I* didn't.

I don't know /what/ added it, but something did.  With noauto, just like
the other reported case.

It shouldn't matter how rare it is though.  A general announcement won't
hurt anyone.

-JimC
-- 
James Cloos cl...@jhcloos.com OpenPGP: 1024D/ED7DAEA6

Re: [gentoo-dev] glibc: pt_chown setuid going away by default

2013-04-12 Thread Mike Frysinger 
On Friday 12 April 2013 13:20:11 Maxim Kammerer wrote:
 On Fri, Apr 12, 2013 at 7:22 PM, Mike Frysinger vap...@gentoo.org wrote:
  i don't know what you mean.  if the ebuild detects devpts being mounted
  and the mount is incorrect, it will die.  if you don't have devpts
  mounted at all, then it assumes you know what you're doing.
 
 What I am saying is that you make no distinction between build
 environment and deployment environment. Quite a few users build their
 Gentoo systems in a chroot. In that case, whole /dev, or its portions
 (including /dev/pts) can be bind-mounts from the host filesystem, and
 /dev/pts does not need to have the correct permissions. However, you
 *would* see such a bind-mount as a devpts mount in /proc/mounts. So
 why not print a warning — what's the point of dying in pkg_preinst?

unless you have a good reason for having the host devpts being mounted wrong, 
i'm not inclined to support this.  every major distro that matters that i know 
of does it this way and has for a long time: Debian, Ubuntu, Fedora, Gentoo.

if it encourages people to fix their host distro to also not suck, well that's 
just a bonus.
-mike


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-dev] Re: glibc: pt_chown setuid going away by default

2013-04-12 Thread Mike Frysinger 
On Thursday 11 April 2013 22:19:40 Duncan wrote:
 Mike Frysinger posted on Thu, 11 Apr 2013 12:49:00 -0400 as excerpted:
  On Thursday 11 April 2013 11:43:59 James Cloos wrote:
   MF == Mike Frysinger vap...@gentoo.org writes:
  MF this should impact very few (if any)
  MF users, so i don't think a news item makes sense.
  
  It will impact everyone who has /dev/pts in fstab(5).
  
  don't do that.  delete the line.
 
 I wonder if I added my devpts fstab entry (if as you say it wasn't an
 automated add) some time ago, when there was some security related hubbub
 over it, as significantly, my fstab entry has nosuid, noexec, while the
 default for it in /etc/init.d/devfs does not.
 
 My fstab devpts entry also has noauto, but that's likely simply due to it
 being an fstab entry...
 
 Regardless, that's at least two gentooers with installations dating from
 the early 00s that have reported having the (GID-less) entry in fstab
 now, so I strongly suspect it's going to affect more users, at least long-
 time users, than you thought.  It may in fact affect the majority of
 users from that era... anyone who hasn't manually removed that entry from
 fstab over the years.
 
 You mention it wasn't in the old baselayout/openrc tarballs.  What about
 the early stages?  Perhaps that's where it came from?  Anyone with 2004.x
 vintage stage tarballs around to check?

stages get their files from baselayout/openrc.  they don't generate them 
themselves.

Robin found even older baselayout releases for me.  baselayout-1.8.6.12 
(released Nov 2011) and newer don't contain any mention of devpts.

i don't know about 2004 releases, but i have stage tarballs i built in Oct 
2005 using gcc-2.95 and they're exactly what i expect -- they match the 
baselayout install.
-mike


signature.asc
Description: This is a digitally signed message part.

[gentoo-dev] rfc: toolchain-funcs: target-has-split-usr API?

2013-04-12 Thread Gregory M. Turner 
What do people think of something like this?  Obviously the equivalent 
patch to prefix would need to include a test for 
PREFIX_DISABLE_GEN_USR_LDSCRIPT:


Author: Gregory M. Turner gmturner...@ameritech.net
Date:   Fri Apr 12 11:13:21 2013 -0700

eclass/toolchain-funcs: Add target-has-split-usr API

Move the platform-filtering code from gen_usr_ldscript into its own
API so that ebuilds can reliably test whether gen_usr_ldscript does
something or not in the currently applicable environment.  See
in-source comments for more details.

Signed-off-by: Gregory M. Turner gmturner...@ameritech.net

diff --git a/eclass/toolchain-funcs.eclass b/eclass/toolchain-funcs.eclass
index 9b94512..7600aaf 100644
--- a/eclass/toolchain-funcs.eclass
+++ b/eclass/toolchain-funcs.eclass
@@ -604,6 +604,36 @@ gcc-specs-nostrict() {
 return $([[ ${directive/\{!fstrict-overflow:} != ${directive} ]])
 }

+# @FUNCTION: target-has-split-usr
+# @DESCRIPTION:
+# This function returns 0 (true) if, for the currently
+# targeted platform, portage is presuming that a split-usr
+# configuration must be maintained.  When target-has-split-usr
+# returns a nonzero (false) value, gen_usr_ldscript is a noop. This
+# may be handy in cases where an ebuild needs to decide, i.e., whether
+# it makes sense to move certain files from /usr/bin to /bin
+# in an ebuild.  In the future, the assumption that critical
+# stuff ends up in /bin and /$(libdir) whereas noncritical
+# stuff ends up in /usr/bin and /usr/$(libdir) may be removed
+# from portage entirely, or relegated to a legacy-support role.
+# As of April 2013, discussion was ongoing in the Gentoo developer
+# community as to what exactly to change and how (see bug #417451).
+# By predicating ebuild code on target-has-split-usr, which exists solely
+# to maintain a split-usr layout, ebuilds can future-proof themselves
+# against changes to the precise criteria that determine whether or not
+# split-usr is in effect for a given target and configuration.
+target-has-split-usr() {
+tc-is-static-only  return 1
+
+case ${CTARGET:-${CHOST}} in
+*-darwin*) return 0;;
+*linux*|*-freebsd*|*-openbsd*|*-netbsd*)
+use prefix  return 1
+return 0
+;;
+*) return 1 ;;
+esac
+}

 # @FUNCTION: gen_usr_ldscript
 # @USAGE: [-a] list of libs to create linker scripts for
@@ -620,19 +650,10 @@ gcc-specs-nostrict() {
 # the library (libfoo.so), as ldconfig should usually update it
 # correctly to point to the latest version of the library present.
 gen_usr_ldscript() {
+target-has-split-usr || return 0
 local lib libdir=$(get_libdir) output_format= auto=false 
suffix=$(get_libname)

 [[ -z ${ED+set} ]]  local ED=${D%/}${EPREFIX}/

-tc-is-static-only  return
-
-# Eventually we'd like to get rid of this func completely #417451
-case ${CTARGET:-${CHOST}} in
-*-darwin*) ;;
-*linux*|*-freebsd*|*-openbsd*|*-netbsd*)
-use prefix  return 0 ;;
-*) return 0 ;;
-esac
-
 # Just make sure it exists
 dodir /usr/${libdir}


--
gmt

Re: [gentoo-dev] glibc: pt_chown setuid going away by default

2013-04-12 Thread Mike Frysinger 
On Friday 12 April 2013 15:41:55 James Cloos wrote:
  MF == Mike Frysinger vap...@gentoo.org writes:
  It will impact everyone who has /dev/pts in fstab(5).
 
 MF don't do that.
 
 *I* didn't.

that you remember.  i think it's more likely you copy  pasted some line a 
long time ago than baselayout modified it for you.

two people who have installs that are a decade old doesn't incline me to write 
a news entry.  not when the ebuild itself contains a sanity check that 
triggers exactly as needed and includes an error message explaining things.  
we aren't talking about an upgrade here that will silently  accidentally 
break your box on next boot (like udev  friends), or will break running 
programs (like SONAME bumps, although that's a much less of a problem now that 
portage handles things automatically).
-mike


signature.asc
Description: This is a digitally signed message part.

[gentoo-dev] [PATCHES] kernel-2.eclass: Various changes requested by users. + [STABLEREQ?] sys-kernel/gentoo-sources-3.8.7: Any objections against stabilizing?

2013-04-12 Thread Tom Wijsman 
Hello everyone


Attached you will find the various changes I plan to apply to
kernel-2.eclass after a week if there are no objections, feel free to
take a look at them. A summary of the changes:

- Added a warning after the variables that modifying other variables in
  the eclass is not supported, there is a chance that we will not fix
  resulting bugs. Fixes bug #421721.

- Make use of readme.gentoo.eclass to make the user aware of the Gentoo
  Linux Kernel Upgrade Guide only the first time he emerges the
  package. Fixes bug #457598.

- Clarify the default DESCRIPTION and make it not use versions, a
  directory with ebuilds that inherit this eclass may contain multiple
  versions and we also don't want to give the impression that a new
  directory needs to made if that's not the case. Fixes bug #445110.

- Clarified which patch depths are used in the normal output and error
  output when applying patches. Fixes bug #436402.

- Made sure .tmp_gas_check is created inside the temp folder, it
  accidentally created temp.tmp_gas_check instead. Fixes bug #336732.

- Make UNIPATCH_DOCS work again, install _README document when
  using genpatches. Fixes bug #301478.

Since these are quite a few changes, it doesn't hurt posting them here.

I'll also summarize the past commits I made, for those who missed them:

- Kernel sources and (gen)patches now use xz instead of bz2. Fixes bug
  #421721.

- Added sys-devel/bc as a RDEPEND to kernel-2.eclass. Fixes bug
  #461848.

- Use UID 0 instead of root to assign permissions to super user. Fixes
  bug #315807.

The commit diffs can be obtained at http://sources.gentoo.org/

There is a guideline that reporting small changes to barely used
eclasses here is not required, but that made some out-of-tree users
unhappy; sorry for that, I'll try to get every eclass change reviewed
in the future to avoid these issues. Small changes, like the above, I
will try to combine together to avoid unnecessary mail and commit spam.

That being said, since 3.8.7 has landed upstream we would like to hear
about any issues we don't know about yet that would block stabilization;
if we can, I plan to start stabilization in less than two weeks. Unless
there are valid reasons for this to be done earlier/later.

I'll add 3.2.43 and 3.8.7 to the tree in a moment, as it is late 3.0.73
and 3.4.40 will be for tomorrow...

Have a nice day. :)

-- 
With kind regards,

Tom Wijsman (TomWij)
Gentoo Developer

E-mail address  : tom...@gentoo.org
GPG Public Key  : 6D34E57D
GPG Fingerprint : C165 AF18 AB4C 400B C3D2  ABF0 95B2 1FCD 6D34 E57D


kernel-2.eclass.patches
Description: Binary data


signature.asc
Description: PGP signature

Pass ${@} in phase functions Re: [gentoo-dev] [PATCH] Introduce cmake-multilib wrapper for cmake-utils.

2013-04-12 Thread Michael Weber 
Hi,

I'm not sure if it's a sane way to push make -j1 via

src_compile() {
cmake-multilib_src_compile -j1
}

but I detected a lack of functionality in the current
cmake-multilib.eclass. Both cmake-utils.eclass and multilib-build.eclass
have it, so it might be sound to continue with this behavior.

Comments, pls.

   Michael


Index: cmake-multilib.eclass
===
RCS file: /var/cvsroot/gentoo-x86/eclass/cmake-multilib.eclass,v
retrieving revision 1.1
diff -u -B -r1.1 cmake-multilib.eclass
--- cmake-multilib.eclass   10 Feb 2013 11:44:55 -  1.1
+++ cmake-multilib.eclass   13 Apr 2013 00:58:17 -
@@ -33,24 +33,24 @@
 EXPORT_FUNCTIONS src_configure src_compile src_test src_install

 cmake-multilib_src_configure() {
-   multilib_parallel_foreach_abi cmake-utils_src_configure
+   multilib_parallel_foreach_abi cmake-utils_src_configure ${@}
 }

 cmake-multilib_src_compile() {
-   multilib_foreach_abi cmake-utils_src_compile
+   multilib_foreach_abi cmake-utils_src_compile ${@}
 }

 cmake-multilib_src_test() {
-   multilib_foreach_abi cmake-utils_src_test
+   multilib_foreach_abi cmake-utils_src_test ${@}
 }

 cmake-multilib_src_install() {
cmake-multilib_secure_install() {
-   cmake-utils_src_install
+   cmake-utils_src_install ${@}

# Make sure all headers are the same for each ABI.
multilib_check_headers
}

-   multilib_foreach_abi cmake-multilib_secure_install
+   multilib_foreach_abi cmake-multilib_secure_install ${@}
 }


-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber x...@gentoo.org