Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On 11/08/17 03:08, William L. Thomson Jr. wrote: > Lets go down this rabbit hole. Let's not. -- Sam Jorna (wraeth) GnuPG ID: D6180C26 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Thu, 10 Aug 2017 13:33:54 +1000 "Sam Jorna (wraeth)"wrote: > > This is no greater risk than syncing from a potentially compromised > mirror. You would use a mirror you trust and, similarly (perhaps even > more so) you would use a binhost you trust. Getting a bit ridiculous now. Let me get my tin foil hat. So your suggesting Gentoo mirrors are could be compromised? Your saying that Gentoo repo gets compromised. Which then leaks out onto mirrors. If a mirror is compromised, clearly it would not match up to other mirrors or the master Gentoo repo. All with no one in the world noticing. Not a likely scenario. Lets go down this rabbit hole. Lets say Gentoo repo was compromised. You simply look at upstream sources and their hashes. If Gentoo mirrored sources do not match up to upstream. Then you know something is wrong. Thus you have many ways to verify, pull from mirror, compare to mirror, compared to master Gentoo repo, compare to upstream. None of that can be done with a binpkg. There are no public binhost. There is no official Gentoo binhost. That is something people setup. They may trust their own binhost. But to imply that is more trust worthy than public stuff that is in more than one verifiable location against 3rd parties. That logic does not hold up. > It does raise the idea of some form of signing of the Packages file, > similar to gpg-signed portage snapshots, but that's moving well beyond > the scope of this thread. That still would never give you any 3rd party verification. Why do we not self sign certificates? Why are those not trusted? Trust tends to come from 3rd parties. Even GPG relies on a WOT, without that its pointless. An unsigned GPG key is pretty worthless. Signing stuff with that means nothing. -- William L. Thomson Jr. pgpcIWBAlyNQk.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On 10/08/17 11:42, William L. Thomson Jr. wrote: > On Thu, 10 Aug 2017 10:50:45 +1000 > "Sam Jorna (wraeth)"wrote: > >> On 10/08/17 06:35, William L. Thomson Jr. wrote: >>> FYI binpkgs have no hash. If someone did something malicious within >>> the binhost to the binpkgs. You have no way of knowing. Yes the >>> same can happen with ebuilds and manifest. But easy to sync portage >>> and see if a manifest has changed. >> >> This isn't exactly true - see ${PKGDIR}/Packages on the binhost, which >> is a manifest of built packages and related metadata. Granted this is >> created by the binhost, it does exist and contains SHA1 and MD5 >> hashes, as well as package size. In that sense it's no different to >> how a package Manifest file works within a repository. > > You are correct. I meant to say no verifiable hash. You can hash > anything locally and claim it to be trustworthy. Thus mentioning > syncing portage to compare manifest of ebuild/SRC_URI > IMHO SRI_URI is more trustworthy than binhost, in the sense of > verification. If you have means to verify the binhost stuff it maybe > more trustworthy. That is left to the admin. This is no greater risk than syncing from a potentially compromised mirror. You would use a mirror you trust and, similarly (perhaps even more so) you would use a binhost you trust. It does raise the idea of some form of signing of the Packages file, similar to gpg-signed portage snapshots, but that's moving well beyond the scope of this thread. -- Sam Jorna (wraeth) GnuPG ID: D6180C26 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On 10/08/17 11:47, William L. Thomson Jr. wrote: > On Thu, 10 Aug 2017 11:25:34 +1000 > "Sam Jorna (wraeth)"wrote: > >> On 09/08/17 10:43, William L. Thomson Jr. wrote: >>> Also your redistributing another's package >>> in binary format which may not be legally allowed. >> >> Just to clarify, I wasn't suggesting redistributing license-encumbered >> packages. Since binary packages are managed by the system >> administrator, not Gentoo (as a distro), it remains with the >> administrator to adhere to any relevant license restrictions. Plus >> the package manager can't tell if you're distributing binaries or not. > > Sure, I was just pointing out that there maybe legal needs to prevent > such. Unless someone wants to circumvent. Their call but not default. > > The package manager knows about fetch restricted ebuilds. It should > not to re-package that stuff. IMHO Packaging a binary is not redistributing. Building binpkgs does not mean you're going to redistribute them, and even if you were, the package manager has no way of determining that aside from an --im-going-to-redist-this-package option. -- Sam Jorna (wraeth) GnuPG ID: D6180C26 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Thu, 10 Aug 2017 11:25:34 +1000 "Sam Jorna (wraeth)"wrote: > On 09/08/17 10:43, William L. Thomson Jr. wrote: > > Also your redistributing another's package > > in binary format which may not be legally allowed. > > Just to clarify, I wasn't suggesting redistributing license-encumbered > packages. Since binary packages are managed by the system > administrator, not Gentoo (as a distro), it remains with the > administrator to adhere to any relevant license restrictions. Plus > the package manager can't tell if you're distributing binaries or not. Sure, I was just pointing out that there maybe legal needs to prevent such. Unless someone wants to circumvent. Their call but not default. The package manager knows about fetch restricted ebuilds. It should not to re-package that stuff. IMHO -- William L. Thomson Jr. pgpfMvLJegYBY.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Thu, 10 Aug 2017 10:50:45 +1000 "Sam Jorna (wraeth)"wrote: > On 10/08/17 06:35, William L. Thomson Jr. wrote: > > FYI binpkgs have no hash. If someone did something malicious within > > the binhost to the binpkgs. You have no way of knowing. Yes the > > same can happen with ebuilds and manifest. But easy to sync portage > > and see if a manifest has changed. > > This isn't exactly true - see ${PKGDIR}/Packages on the binhost, which > is a manifest of built packages and related metadata. Granted this is > created by the binhost, it does exist and contains SHA1 and MD5 > hashes, as well as package size. In that sense it's no different to > how a package Manifest file works within a repository. You are correct. I meant to say no verifiable hash. You can hash anything locally and claim it to be trustworthy. Thus mentioning syncing portage to compare manifest of ebuild/SRC_URI. Someone remakes a binpkg tarball, edits ${PKGDIR}/Packages with new SHA1 and MD5. No way to know. IMHO SRI_URI is more trustworthy than binhost, in the sense of verification. If you have means to verify the binhost stuff it maybe more trustworthy. That is left to the admin. I see binpkg as a temporary convenience. I am doing updates across many of the same systems. Less images, containers, etc. I made binaries on one system. Immediately used as updated on others. Then discarded on binhost. Also used for testing, reverting between slotted versions. -- William L. Thomson Jr. pgpo6yopgjta1.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On 09/08/17 10:43, William L. Thomson Jr. wrote: > Also your redistributing another's package > in binary format which may not be legally allowed. Just to clarify, I wasn't suggesting redistributing license-encumbered packages. Since binary packages are managed by the system administrator, not Gentoo (as a distro), it remains with the administrator to adhere to any relevant license restrictions. Plus the package manager can't tell if you're distributing binaries or not. -- Sam Jorna (wraeth) GnuPG ID: D6180C26 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On 10/08/17 06:35, William L. Thomson Jr. wrote: > FYI binpkgs have no hash. If someone did something malicious within the > binhost to the binpkgs. You have no way of knowing. Yes the same can > happen with ebuilds and manifest. But easy to sync portage and see if a > manifest has changed. This isn't exactly true - see ${PKGDIR}/Packages on the binhost, which is a manifest of built packages and related metadata. Granted this is created by the binhost, it does exist and contains SHA1 and MD5 hashes, as well as package size. In that sense it's no different to how a package Manifest file works within a repository. -- Sam Jorna (wraeth) GnuPG ID: D6180C26 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
Just to clarify, the contenders for no binpkg would be the following, potentially more. - ebuilds that are fetch restricted - ebuilds that installs files unchanged, like kernel sources - Binary ebuilds, -bin, that just use src_install and do not build anything There may be some other cases, but I think that covers the main ones. The first case, should NEVER, not even optionally be allowed to be binpkg. That is re-distributing something that is fetch restricted. If it cannot be mirrored, I doubt it can legally be re-packaged. The later 2 could be "optional" defaulted to not build, but could be forced. There is little benefit at that point but some may prefer those be a binpkg. I have no problem with it being optional. -- William L. Thomson Jr. pgpZrNRHTl9GN.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Wed, 9 Aug 2017 22:23:41 +0200 Francesco Riosawrote: > 2017-08-09 17:33 GMT+02:00 William L. Thomson Jr. : > > > On Wed, 9 Aug 2017 11:07:04 +1000 > > "Sam Jorna (wraeth)" wrote: > > > > > > What then is the benefit? If what is installed is the same from > > > > package manager or binpkg. Also your redistributing another's > > > > package in binary format which may not be legally allowed. > > > > > > The difference is that how the package manager/ebuild installs the > > > package may be better suited to the environment than what upstream > > > expects (such as upstreams that install through a .run file) > > > > I fail to see how basically skipping src_install and maybe some > > prepare stuff that makes it better suited to an environment. > > Can you explain that further? > > > > These packages are just exploded tarballs. I fail to see the benefit > > to repacking those into another tarball to be exploded. At best > > skipping src_install and/or prepare, seems to be the only > > difference. > > > one such benefit is that the binhost is known and managed by someone > you trust, SRC_URI point to the wider and dangerous internet. Interesting argument, saying upstreams cannot be trusted. Nor Gentoo with its manifests and hashes of the files referenced in SRC_URI. Given that most will come from Gentoo mirrors not upstream servers. Ignoring that the binhost has to use these SRC_URI's just the same. It makes sense in very strange way. FYI binpkgs have no hash. If someone did something malicious within the binhost to the binpkgs. You have no way of knowing. Yes the same can happen with ebuilds and manifest. But easy to sync portage and see if a manifest has changed. Therefore relying on binhost as means of security is possible but odd, as it leaves things open to potentially larger issues. > So please leave this as a configurable choice. For some things configurable would make sense. For things like fetch restricted, it would not. Since it is not legal to mirror that stuff to begin with. It surely is not to re-package. -- William L. Thomson Jr. pgp_OCWY10rTw.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
2017-08-09 17:33 GMT+02:00 William L. Thomson Jr.: > On Wed, 9 Aug 2017 11:07:04 +1000 > "Sam Jorna (wraeth)" wrote: > > > > What then is the benefit? If what is installed is the same from > > > package manager or binpkg. Also your redistributing another's > > > package in binary format which may not be legally allowed. > > > > The difference is that how the package manager/ebuild installs the > > package may be better suited to the environment than what upstream > > expects (such as upstreams that install through a .run file) > > I fail to see how basically skipping src_install and maybe some prepare > stuff that makes it better suited to an environment. > Can you explain that further? > > These packages are just exploded tarballs. I fail to see the benefit > to repacking those into another tarball to be exploded. At best > skipping src_install and/or prepare, seems to be the only difference. > one such benefit is that the binhost is known and managed by someone you trust, SRC_URI point to the wider and dangerous internet. So please leave this as a configurable choice. > > I see no difference in installing kernel sources via source ebuild or a > binpkg, pre-built ebuild binary. Other than the time it takes to > re-package the kernel sources into another tarball. > > > -- > William L. Thomson Jr. >
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Wed, 9 Aug 2017 11:07:04 +1000 "Sam Jorna (wraeth)"wrote: > > What then is the benefit? If what is installed is the same from > > package manager or binpkg. Also your redistributing another's > > package in binary format which may not be legally allowed. > > The difference is that how the package manager/ebuild installs the > package may be better suited to the environment than what upstream > expects (such as upstreams that install through a .run file) I fail to see how basically skipping src_install and maybe some prepare stuff that makes it better suited to an environment. Can you explain that further? These packages are just exploded tarballs. I fail to see the benefit to repacking those into another tarball to be exploded. At best skipping src_install and/or prepare, seems to be the only difference. I see no difference in installing kernel sources via source ebuild or a binpkg, pre-built ebuild binary. Other than the time it takes to re-package the kernel sources into another tarball. -- William L. Thomson Jr. pgprjYBDQKsdt.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On 09/08/17 10:43, William L. Thomson Jr. wrote: > On Wed, 9 Aug 2017 10:29:40 +1000 > "Sam Jorna (wraeth)"wrote: > >> On 09/08/17 04:20, William L. Thomson Jr. wrote: >>> On Tue, 8 Aug 2017 19:32:48 +0200 >>> Kristian Fiskerstrand wrote: - You might be applying local patches through /etc/portage/patches that are distributed to all clients >>> >>> This might be the strongest reason. Though would only apply to stuff >>> like say kernel sources. Not sure what patches could be applied to a >>> binary ebuild, -bin. A patch would not effect src_install per my >>> understanding. >> >> There's also the fact that binpkgs may be manually installed exactly >> as the package manager would have installed it, rather than extracting >> whatever upstream supplies verbatim. > > What then is the benefit? If what is installed is the same from > package manager or binpkg. Also your redistributing another's package > in binary format which may not be legally allowed. The difference is that how the package manager/ebuild installs the package may be better suited to the environment than what upstream expects (such as upstreams that install through a .run file) >> This includes things like any wrappers, desktop files or symlinks >> created by the ebuild, or other such downstream-isms. > > If it was made via package manager. If it was made via quickpkg, it > maybe different than if made by package manager. Using quickpkg can create different binaries depending on your options, but otherwise it should package any installed files as recorded by the package manager - provided you use inclusive options, there should be no appreciable difference as far as I'm aware. -- Sam Jorna (wraeth) GnuPG ID: D6180C26 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Wed, 9 Aug 2017 10:29:40 +1000 "Sam Jorna (wraeth)"wrote: > On 09/08/17 04:20, William L. Thomson Jr. wrote: > > On Tue, 8 Aug 2017 19:32:48 +0200 > > Kristian Fiskerstrand wrote: > >> - You might be applying local patches through /etc/portage/patches > >> that are distributed to all clients > > > > This might be the strongest reason. Though would only apply to stuff > > like say kernel sources. Not sure what patches could be applied to a > > binary ebuild, -bin. A patch would not effect src_install per my > > understanding. > > There's also the fact that binpkgs may be manually installed exactly > as the package manager would have installed it, rather than extracting > whatever upstream supplies verbatim. What then is the benefit? If what is installed is the same from package manager or binpkg. Also your redistributing another's package in binary format which may not be legally allowed. > This includes things like any wrappers, desktop files or symlinks > created by the ebuild, or other such downstream-isms. If it was made via package manager. If it was made via quickpkg, it maybe different than if made by package manager. -- William L. Thomson Jr. pgpM0WgebH6wT.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On 09/08/17 04:20, William L. Thomson Jr. wrote: > On Tue, 8 Aug 2017 19:32:48 +0200 > Kristian Fiskerstrandwrote: >> - You might be applying local patches through /etc/portage/patches >> that are distributed to all clients > > This might be the strongest reason. Though would only apply to stuff > like say kernel sources. Not sure what patches could be applied to a > binary ebuild, -bin. A patch would not effect src_install per my > understanding. There's also the fact that binpkgs may be manually installed exactly as the package manager would have installed it, rather than extracting whatever upstream supplies verbatim. This includes things like any wrappers, desktop files or symlinks created by the ebuild, or other such downstream-isms. -- Sam Jorna (wraeth) GnuPG ID: D6180C26 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
> > On 08/08/2017 07:23 PM, William L. Thomson Jr. wrote: > > >> it can already be controlled through env files. > > > I was thinking it might, but having used them to skip other > > > hooks. I was thinking they could not be used as such for binary > > > packages. Have you confirmed such is possible? Could you provide > > > a link or example? Thanks! > > > > try something like: > > /etc/portage/env/nobin: > > FEATURES="-buildpkg" > > > > /etc/portage/package.env/nobin: > > sys-kernel/gentoo-sources nobin > > That may work, I was not thinking to negate. Trying it out now. But > may lead me to another need... :) My other need is that it does not seem you can use env files or patches in profiles. I think I can do the env stuff via other means. Like package.use. I do not want it in make.defaults, as this is per package. The problem with env files is managing them per system. I want to do things like that in profiles. It is to much work to manage that stuff on each system. Even using things like ansible. Which is why I have moved to custom profiles rather than per system stuff. I will need to experiment a bit more. But IMHO a variable that can be set in an ebuild, and bypassed if needed by operator at emerge time is the simplest approach. -- William L. Thomson Jr. pgp_WKOlHcPmv.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Tue, 8 Aug 2017 20:15:07 +0200 Kristian Fiskerstrandwrote: > On 08/08/2017 08:10 PM, William L. Thomson Jr. wrote: > >> I'm not sure explicitly about environment files, but it's an > >> option to emerge. For instance, I've added this to my > >> EMERGE_DEFAULT_OPTS to ensure none of the following are built: > >> > >> --buildpkg-exclude "virtual/* sys-kernel/*-sources dev-perl/* > >> perl-core/*" > > Something like this would NOT be desirable. It would have to be > > done on every system. > It would have to be set on every binhost, not every client system.. > that said, I prefer env approach as it is easier to track changes > properly in a CVS That is assuming clients do not have FEATURES="buildpkg". I have that set just in case I merge some package directly on a system. I have the binary ready for others. I am trying out the env route now, but may need some changes there. Most are made on the binhost, but not all. Also I am not necessarily using a binhost per se. I have portage on shared NFS. I also rsync some binaries between NFS servers. -- William L. Thomson Jr. pgpzyH21mFLVx.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Tue, 8 Aug 2017 19:32:48 +0200 Kristian Fiskerstrandwrote: > On 08/08/2017 07:23 PM, William L. Thomson Jr. wrote: > > Can you think of any? I cannot see any operator wanting a binary of > > a binary, or a package of sources. When they already have a > > sources > > - The machine you're installing it on might not have internet access > so you want to have the files stored in a single location for > wrapping it up. Not sure that would be any different between distfiles and packages. > - You might want an audit trail of installed packages, so using the > binary files on specific media ensures same copy is installed > everywhere Doesn't the manifest/hash aspect of ebuilds ensure that for the tarballs already? If installing same version, same tarball, Its all the same already. > - You might be applying local patches through /etc/portage/patches > that are distributed to all clients This might be the strongest reason. Though would only apply to stuff like say kernel sources. Not sure what patches could be applied to a binary ebuild, -bin. A patch would not effect src_install per my understanding. > On 08/08/2017 07:23 PM, William L. Thomson Jr. wrote: > >> it can already be controlled through env files. > > I was thinking it might, but having used them to skip other hooks. I > > was thinking they could not be used as such for binary packages. > > Have you confirmed such is possible? Could you provide a link or > > example? Thanks! > > try something like: > /etc/portage/env/nobin: > FEATURES="-buildpkg" > > /etc/portage/package.env/nobin: > sys-kernel/gentoo-sources nobin That may work, I was not thinking to negate. Trying it out now. But may lead me to another need... :) -- William L. Thomson Jr. pgp09Sx3bV7Cd.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On 08/08/2017 08:10 PM, William L. Thomson Jr. wrote: >> I'm not sure explicitly about environment files, but it's an option to >> emerge. For instance, I've added this to my EMERGE_DEFAULT_OPTS to >> ensure none of the following are built: >> >> --buildpkg-exclude "virtual/* sys-kernel/*-sources dev-perl/* >> perl-core/*" > Something like this would NOT be desirable. It would have to be done on > every system. It would have to be set on every binhost, not every client system.. that said, I prefer env approach as it is easier to track changes properly in a CVS -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Tue, 8 Aug 2017 13:34:00 -0400 Ian Stakenviciuswrote: > I'm not sure explicitly about environment files, but it's an option to > emerge. For instance, I've added this to my EMERGE_DEFAULT_OPTS to > ensure none of the following are built: > > --buildpkg-exclude "virtual/* sys-kernel/*-sources dev-perl/* > perl-core/*" Something like this would NOT be desirable. It would have to be done on every system. Package env files, if possible, would be a better approach as that could be distribute to be consistent on all systems. -- William L. Thomson Jr. pgpgDp0MP9oVI.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On 08/08/17 01:23 PM, William L. Thomson Jr. wrote: > On Tue, 8 Aug 2017 19:11:18 +0200 > Kristian Fiskerstrandwrote: > >> it can already be controlled through env files. > > I was thinking it might, but having used them to skip other hooks. I > was thinking they could not be used as such for binary packages. Have > you confirmed such is possible? Could you provide a link or example? > Thanks! I'm not sure explicitly about environment files, but it's an option to emerge. For instance, I've added this to my EMERGE_DEFAULT_OPTS to ensure none of the following are built: --buildpkg-exclude "virtual/* sys-kernel/*-sources dev-perl/* perl-core/*" signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Tue, 8 Aug 2017 10:18:36 -0700 Rich Freemanwrote: > > Whether it belongs in the ebuild, or in metadata, is another matter. The how, implementation, etc is not as important to me. I just think there should be some means to prevent such. If there is not currently. As mentioned there could be other uses/benefits of such depending on how it is implemented. That is up to others. I just would like to not have binaries made of packages I feel are a waste to be re-packaged into a binpkg. -- William L. Thomson Jr.
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On 08/08/2017 07:23 PM, William L. Thomson Jr. wrote: > Can you think of any? I cannot see any operator wanting a binary of a > binary, or a package of sources. When they already have a sources - The machine you're installing it on might not have internet access so you want to have the files stored in a single location for wrapping it up. - You might want an audit trail of installed packages, so using the binary files on specific media ensures same copy is installed everywhere - You might be applying local patches through /etc/portage/patches that are distributed to all clients On 08/08/2017 07:23 PM, William L. Thomson Jr. wrote: >> it can already be controlled through env files. > I was thinking it might, but having used them to skip other hooks. I > was thinking they could not be used as such for binary packages. Have > you confirmed such is possible? Could you provide a link or example? > Thanks! try something like: /etc/portage/env/nobin: FEATURES="-buildpkg" /etc/portage/package.env/nobin: sys-kernel/gentoo-sources nobin -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On wto, 2017-08-08 at 10:18 -0700, Rich Freeman wrote: > On Tue, Aug 8, 2017 at 10:11 AM, Kristian Fiskerstrand> wrote: > > On 08/08/2017 06:37 PM, William L. Thomson Jr. wrote: > > > I make a lot of binaries for use on other systems, to expedite updates. > > > It does not make sense for some packages to ever be a binary package. > > > > Any particular reason this decision shouldn't be left to the operator of > > the binhost rather than the package maintainer? it can already be > > controlled through env files. > > > > Perhaps, but I could see some value in having some way to mark > packages that don't compile anything. This could also overlap > somewhat with the desire to track arch-independent packages for > stabilization purposes. I could see it being useful to be able to > obtain a list of all the binary packages in the Gentoo repo for QA > purposes/etc as well. > > Maybe it isn't a flag that outright blocks binary package building, > but a way to mark such packages so that a user can apply a policy on > top of this. > > Whether it belongs in the ebuild, or in metadata, is another matter. Does a package that builds documentation from sources count? -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Tue, 8 Aug 2017 19:11:18 +0200 Kristian Fiskerstrandwrote: > On 08/08/2017 06:37 PM, William L. Thomson Jr. wrote: > > I make a lot of binaries for use on other systems, to expedite > > updates. It does not make sense for some packages to ever be a > > binary package. > > Any particular reason this decision shouldn't be left to the operator > of the binhost rather than the package maintainer? Can you think of any? I cannot see any operator wanting a binary of a binary, or a package of sources. When they already have a sources tarball. Maybe in the case of shipping binaries without sources. But I am not sure if an binary ebuild ignores SRC_URI entirely. I think moving binaries without needing the distfiles would be the only reason why an operator may prefer binaries of stuff that does not get compiled, just installed. > it can already be controlled through env files. I was thinking it might, but having used them to skip other hooks. I was thinking they could not be used as such for binary packages. Have you confirmed such is possible? Could you provide a link or example? Thanks! -- William L. Thomson Jr. pgpmdoJlHwS7Z.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Tue, Aug 8, 2017 at 10:11 AM, Kristian Fiskerstrandwrote: > On 08/08/2017 06:37 PM, William L. Thomson Jr. wrote: >> I make a lot of binaries for use on other systems, to expedite updates. >> It does not make sense for some packages to ever be a binary package. > > Any particular reason this decision shouldn't be left to the operator of > the binhost rather than the package maintainer? it can already be > controlled through env files. > Perhaps, but I could see some value in having some way to mark packages that don't compile anything. This could also overlap somewhat with the desire to track arch-independent packages for stabilization purposes. I could see it being useful to be able to obtain a list of all the binary packages in the Gentoo repo for QA purposes/etc as well. Maybe it isn't a flag that outright blocks binary package building, but a way to mark such packages so that a user can apply a policy on top of this. Whether it belongs in the ebuild, or in metadata, is another matter. -- Rich
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On 08/08/2017 06:37 PM, William L. Thomson Jr. wrote: > I make a lot of binaries for use on other systems, to expedite updates. > It does not make sense for some packages to ever be a binary package. Any particular reason this decision shouldn't be left to the operator of the binhost rather than the package maintainer? it can already be controlled through env files. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation
On Tue, Aug 8, 2017 at 12:37 PM, William L. Thomson Jr.wrote: > > As most things I think this would require support in PMS, or next EAPI > at minimum. But I think the EAPI comes from PMS, so they are related. > Actually, I'm not sure about this since it doesn't really affect what is actually built, but I'll defer to others on that. For example, in [1] there is a statement "Package managers may recognise other tokens, but ebuilds may not rely upon them being supported." This strikes me as that sort of thing, and indeed this might be the right place to put it. There is no real harm if a particular package manager doesn't support this feature as it has no affect on what is installed. I believe we also use non-PMS variables for things like disabling QA checks in tinderboxes and such, since this has no impact on package managers. A new EAPI would be defined in a new version of the PMS. The PMS is the specification that includes EAPI among other things. 1 - https://projects.gentoo.org/pms/6/pms.html#x1-920008.2.8 -- Rich