Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Sam Jorna (wraeth)]

On 11/08/17 03:08, William L. Thomson Jr. wrote:
> Lets go down this rabbit hole.

Let's not.

-- 
Sam Jorna (wraeth)
GnuPG ID: D6180C26



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

On Thu, 10 Aug 2017 13:33:54 +1000
"Sam Jorna (wraeth)"  wrote:
>
> This is no greater risk than syncing from a potentially compromised
> mirror. You would use a mirror you trust and, similarly (perhaps even
> more so) you would use a binhost you trust.

Getting a bit ridiculous now. Let me get my tin foil hat.

So your suggesting Gentoo mirrors are could be compromised? Your saying
that Gentoo repo gets compromised. Which then leaks out onto mirrors. If
a mirror is compromised, clearly it would not match up to other mirrors
or the master Gentoo repo. All with no one in the world noticing. Not a
likely scenario.

Lets go down this rabbit hole. Lets say Gentoo repo was compromised.
You simply look at upstream sources and their hashes. If Gentoo
mirrored sources do not match up to upstream. Then you know something
is wrong.

Thus you have many ways to verify, pull from mirror, compare to mirror,
compared to master Gentoo repo, compare to upstream. None of that can
be done with a binpkg. There are no public binhost. There is no
official Gentoo binhost. That is something people setup.

They may trust their own binhost. But to imply that is more trust
worthy than public stuff that is in more than one verifiable location
against 3rd parties. That logic does not hold up.

> It does raise the idea of some form of signing of the Packages file,
> similar to gpg-signed portage snapshots, but that's moving well beyond
> the scope of this thread.

That still would never give you any 3rd party verification. Why do we
not self sign certificates? Why are those not trusted? Trust tends to
come from 3rd parties.

Even GPG relies on a WOT, without that its pointless. An unsigned GPG
key is pretty worthless. Signing stuff with that means nothing.

-- 
William L. Thomson Jr.


pgpcIWBAlyNQk.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Sam Jorna (wraeth)]

On 10/08/17 11:42, William L. Thomson Jr. wrote:
> On Thu, 10 Aug 2017 10:50:45 +1000
> "Sam Jorna (wraeth)"  wrote:
> 
>> On 10/08/17 06:35, William L. Thomson Jr. wrote:
>>> FYI binpkgs have no hash. If someone did something malicious within
>>> the binhost to the binpkgs. You have no way of knowing. Yes the
>>> same can happen with ebuilds and manifest. But easy to sync portage
>>> and see if a manifest has changed.  
>>
>> This isn't exactly true - see ${PKGDIR}/Packages on the binhost, which
>> is a manifest of built packages and related metadata. Granted this is
>> created by the binhost, it does exist and contains SHA1 and MD5
>> hashes, as well as package size. In that sense it's no different to
>> how a package Manifest file works within a repository.
> 
> You are correct. I meant to say no verifiable hash. You can hash
> anything locally and claim it to be trustworthy. Thus mentioning
> syncing portage to compare manifest of ebuild/SRC_URI
> IMHO SRI_URI is more trustworthy than binhost, in the sense of
> verification. If  you have means to verify the binhost stuff it maybe
> more trustworthy. That is left to the admin.

This is no greater risk than syncing from a potentially compromised
mirror. You would use a mirror you trust and, similarly (perhaps even
more so) you would use a binhost you trust.

It does raise the idea of some form of signing of the Packages file,
similar to gpg-signed portage snapshots, but that's moving well beyond
the scope of this thread.

-- 
Sam Jorna (wraeth)
GnuPG ID: D6180C26



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Sam Jorna (wraeth)]

On 10/08/17 11:47, William L. Thomson Jr. wrote:
> On Thu, 10 Aug 2017 11:25:34 +1000
> "Sam Jorna (wraeth)"  wrote:
> 
>> On 09/08/17 10:43, William L. Thomson Jr. wrote:
>>> Also your redistributing another's package
>>> in binary format which may not be legally allowed.  
>>
>> Just to clarify, I wasn't suggesting redistributing license-encumbered
>> packages. Since binary packages are managed by the system
>> administrator, not Gentoo (as a distro), it remains with the
>> administrator to adhere to any relevant license restrictions. Plus
>> the package manager can't tell if you're distributing binaries or not.
> 
> Sure, I was just pointing out that there maybe legal needs to prevent
> such. Unless someone wants to circumvent. Their call but not default.
> 
> The package manager knows about fetch restricted ebuilds. It should
> not to re-package that stuff. IMHO

Packaging a binary is not redistributing. Building binpkgs does not mean
you're going to redistribute them, and even if you were, the package
manager has no way of determining that aside from an
--im-going-to-redist-this-package option.

-- 
Sam Jorna (wraeth)
GnuPG ID: D6180C26



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

On Thu, 10 Aug 2017 11:25:34 +1000
"Sam Jorna (wraeth)"  wrote:

> On 09/08/17 10:43, William L. Thomson Jr. wrote:
> > Also your redistributing another's package
> > in binary format which may not be legally allowed.  
> 
> Just to clarify, I wasn't suggesting redistributing license-encumbered
> packages. Since binary packages are managed by the system
> administrator, not Gentoo (as a distro), it remains with the
> administrator to adhere to any relevant license restrictions. Plus
> the package manager can't tell if you're distributing binaries or not.

Sure, I was just pointing out that there maybe legal needs to prevent
such. Unless someone wants to circumvent. Their call but not default.

The package manager knows about fetch restricted ebuilds. It should
not to re-package that stuff. IMHO

-- 
William L. Thomson Jr.


pgpfMvLJegYBY.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

On Thu, 10 Aug 2017 10:50:45 +1000
"Sam Jorna (wraeth)"  wrote:

> On 10/08/17 06:35, William L. Thomson Jr. wrote:
> > FYI binpkgs have no hash. If someone did something malicious within
> > the binhost to the binpkgs. You have no way of knowing. Yes the
> > same can happen with ebuilds and manifest. But easy to sync portage
> > and see if a manifest has changed.  
> 
> This isn't exactly true - see ${PKGDIR}/Packages on the binhost, which
> is a manifest of built packages and related metadata. Granted this is
> created by the binhost, it does exist and contains SHA1 and MD5
> hashes, as well as package size. In that sense it's no different to
> how a package Manifest file works within a repository.

You are correct. I meant to say no verifiable hash. You can hash
anything locally and claim it to be trustworthy. Thus mentioning
syncing portage to compare manifest of ebuild/SRC_URI.

Someone remakes a binpkg tarball, edits ${PKGDIR}/Packages with new
SHA1 and MD5. No way to know.

IMHO SRI_URI is more trustworthy than binhost, in the sense of
verification. If  you have means to verify the binhost stuff it maybe
more trustworthy. That is left to the admin.

I see binpkg as a temporary convenience. I am doing updates across many
of the same systems. Less images, containers, etc. I made binaries on
one system. Immediately used as updated on others. Then discarded on
binhost. Also used for  testing, reverting between slotted versions.

-- 
William L. Thomson Jr.


pgpo6yopgjta1.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Sam Jorna (wraeth)]

On 09/08/17 10:43, William L. Thomson Jr. wrote:
> Also your redistributing another's package
> in binary format which may not be legally allowed.

Just to clarify, I wasn't suggesting redistributing license-encumbered
packages. Since binary packages are managed by the system administrator,
not Gentoo (as a distro), it remains with the administrator to adhere to
any relevant license restrictions. Plus the package manager can't tell
if you're distributing binaries or not.

-- 
Sam Jorna (wraeth)
GnuPG ID: D6180C26



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Sam Jorna (wraeth)]

On 10/08/17 06:35, William L. Thomson Jr. wrote:
> FYI binpkgs have no hash. If someone did something malicious within the
> binhost to the binpkgs. You have no way of knowing. Yes the same can
> happen with ebuilds and manifest. But easy to sync portage and see if a
> manifest has changed.

This isn't exactly true - see ${PKGDIR}/Packages on the binhost, which
is a manifest of built packages and related metadata. Granted this is
created by the binhost, it does exist and contains SHA1 and MD5 hashes,
as well as package size. In that sense it's no different to how a
package Manifest file works within a repository.

-- 
Sam Jorna (wraeth)
GnuPG ID: D6180C26



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

Just to clarify, the contenders for no binpkg would be the
following, potentially more.

 - ebuilds that are fetch restricted
 - ebuilds that installs files unchanged, like kernel sources
 - Binary ebuilds, -bin, that just use src_install and do not build
   anything

There may be some other cases, but I think that covers the main ones.
The first case, should NEVER, not even optionally be allowed to be
binpkg. That is re-distributing something that is fetch restricted. If
it cannot be mirrored, I doubt it can legally be  re-packaged.

The later 2 could be "optional" defaulted to not build, but could be
forced. There is little benefit at that point but some may prefer those
be a binpkg.

I have no problem with it being optional.

-- 
William L. Thomson Jr.


pgpZrNRHTl9GN.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

On Wed, 9 Aug 2017 22:23:41 +0200
Francesco Riosa  wrote:

> 2017-08-09 17:33 GMT+02:00 William L. Thomson Jr. :
> 
> > On Wed, 9 Aug 2017 11:07:04 +1000
> > "Sam Jorna (wraeth)"  wrote:
> >
> > > > What then is the benefit? If what is installed is the same from
> > > > package manager or binpkg. Also your redistributing another's
> > > > package in binary format which may not be legally allowed.
> > >
> > > The difference is that how the package manager/ebuild installs the
> > > package may be better suited to the environment than what upstream
> > > expects (such as upstreams that install through a .run file)
> >
> > I fail to see how basically skipping src_install and maybe some
> > prepare stuff that makes it better suited to an environment.
> > Can you explain that further?
> >
> > These packages are just exploded tarballs. I fail to see the benefit
> > to repacking those into another tarball to be exploded. At best
> > skipping src_install and/or prepare, seems to be the only
> > difference.
> >
> one such benefit is that the binhost is known and managed by someone
> you trust, SRC_URI point to the wider and dangerous internet.

Interesting argument, saying upstreams cannot be trusted. Nor Gentoo
with its manifests and hashes of the files referenced in SRC_URI. Given
that most will come from Gentoo mirrors not upstream servers. Ignoring
that the binhost has to use these SRC_URI's just the same. It makes
sense in very strange way.

FYI binpkgs have no hash. If someone did something malicious within the
binhost to the binpkgs. You have no way of knowing. Yes the same can
happen with ebuilds and manifest. But easy to sync portage and see if a
manifest has changed.

Therefore relying on binhost as means of security is possible but odd,
as it leaves things open to potentially larger issues.

> So please leave this as a configurable choice.

For some things configurable would make sense. For things like fetch
restricted, it would not. Since it is not legal to mirror that stuff to
begin with. It surely is not to re-package.

-- 
William L. Thomson Jr.


pgp_OCWY10rTw.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Francesco Riosa]

2017-08-09 17:33 GMT+02:00 William L. Thomson Jr. :

> On Wed, 9 Aug 2017 11:07:04 +1000
> "Sam Jorna (wraeth)"  wrote:
>
> > > What then is the benefit? If what is installed is the same from
> > > package manager or binpkg. Also your redistributing another's
> > > package in binary format which may not be legally allowed.
> >
> > The difference is that how the package manager/ebuild installs the
> > package may be better suited to the environment than what upstream
> > expects (such as upstreams that install through a .run file)
>
> I fail to see how basically skipping src_install and maybe some prepare
> stuff that makes it better suited to an environment.
> Can you explain that further?
>
> These packages are just exploded tarballs. I fail to see the benefit
> to repacking those into another tarball to be exploded. At best
> skipping src_install and/or prepare, seems to be the only difference.
>

one such benefit is that the binhost is known and managed by someone you
trust, SRC_URI point to the wider and dangerous internet.
So please leave this as a configurable choice.


>
> I see no difference in installing kernel sources via source ebuild or a
> binpkg, pre-built ebuild binary. Other than the time it takes to
> re-package the kernel sources into another tarball.
>
>
> --
> William L. Thomson Jr.
>

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

On Wed, 9 Aug 2017 11:07:04 +1000
"Sam Jorna (wraeth)"  wrote:

> > What then is the benefit? If what is installed is the same from
> > package manager or binpkg. Also your redistributing another's
> > package in binary format which may not be legally allowed.  
> 
> The difference is that how the package manager/ebuild installs the
> package may be better suited to the environment than what upstream
> expects (such as upstreams that install through a .run file)

I fail to see how basically skipping src_install and maybe some prepare
stuff that makes it better suited to an environment.
Can you explain that further?

These packages are just exploded tarballs. I fail to see the benefit
to repacking those into another tarball to be exploded. At best
skipping src_install and/or prepare, seems to be the only difference.

I see no difference in installing kernel sources via source ebuild or a
binpkg, pre-built ebuild binary. Other than the time it takes to
re-package the kernel sources into another tarball.


-- 
William L. Thomson Jr.


pgprjYBDQKsdt.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Sam Jorna (wraeth)]

On 09/08/17 10:43, William L. Thomson Jr. wrote:
> On Wed, 9 Aug 2017 10:29:40 +1000
> "Sam Jorna (wraeth)"  wrote:
> 
>> On 09/08/17 04:20, William L. Thomson Jr. wrote:
>>> On Tue, 8 Aug 2017 19:32:48 +0200
>>> Kristian Fiskerstrand  wrote:  
  - You might be applying local patches through /etc/portage/patches
 that are distributed to all clients  
>>>
>>> This might be the strongest reason. Though would only apply to stuff
>>> like say kernel sources. Not sure what patches could be applied to a
>>> binary ebuild, -bin. A patch would not effect src_install per my
>>> understanding.  
>>
>> There's also the fact that binpkgs may be manually installed exactly
>> as the package manager would have installed it, rather than extracting
>> whatever upstream supplies verbatim. 
> 
> What then is the benefit? If what is installed is the same from
> package manager or binpkg. Also your redistributing another's package
> in binary format which may not be legally allowed.

The difference is that how the package manager/ebuild installs the
package may be better suited to the environment than what upstream
expects (such as upstreams that install through a .run file)

>> This includes things like any wrappers, desktop files or symlinks
>> created by the ebuild, or other such downstream-isms.
> 
> If it was made via package manager. If it was made via quickpkg, it
> maybe different than if made by package manager.

Using quickpkg can create different binaries depending on your options,
but otherwise it should package any installed files as recorded by the
package manager - provided you use inclusive options, there should be no
appreciable difference as far as I'm aware.

-- 
Sam Jorna (wraeth)
GnuPG ID: D6180C26



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

On Wed, 9 Aug 2017 10:29:40 +1000
"Sam Jorna (wraeth)"  wrote:

> On 09/08/17 04:20, William L. Thomson Jr. wrote:
> > On Tue, 8 Aug 2017 19:32:48 +0200
> > Kristian Fiskerstrand  wrote:  
> >>  - You might be applying local patches through /etc/portage/patches
> >> that are distributed to all clients  
> > 
> > This might be the strongest reason. Though would only apply to stuff
> > like say kernel sources. Not sure what patches could be applied to a
> > binary ebuild, -bin. A patch would not effect src_install per my
> > understanding.  
> 
> There's also the fact that binpkgs may be manually installed exactly
> as the package manager would have installed it, rather than extracting
> whatever upstream supplies verbatim. 

What then is the benefit? If what is installed is the same from
package manager or binpkg. Also your redistributing another's package
in binary format which may not be legally allowed.

> This includes things like any wrappers, desktop files or symlinks
> created by the ebuild, or other such downstream-isms.

If it was made via package manager. If it was made via quickpkg, it
maybe different than if made by package manager.

-- 
William L. Thomson Jr.


pgpM0WgebH6wT.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Sam Jorna (wraeth)]

On 09/08/17 04:20, William L. Thomson Jr. wrote:
> On Tue, 8 Aug 2017 19:32:48 +0200
> Kristian Fiskerstrand  wrote:
>>  - You might be applying local patches through /etc/portage/patches
>> that are distributed to all clients
> 
> This might be the strongest reason. Though would only apply to stuff
> like say kernel sources. Not sure what patches could be applied to a
> binary ebuild, -bin. A patch would not effect src_install per my
> understanding.

There's also the fact that binpkgs may be manually installed exactly as
the package manager would have installed it, rather than extracting
whatever upstream supplies verbatim. This includes things like any
wrappers, desktop files or symlinks created by the ebuild, or other such
downstream-isms.

-- 
Sam Jorna (wraeth)
GnuPG ID: D6180C26



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

> > On 08/08/2017 07:23 PM, William L. Thomson Jr. wrote:  
> > >> it can already be controlled through env files.
> > > I was thinking it might, but having used them to skip other
> > > hooks. I was thinking they could not be used as such for binary
> > > packages. Have you confirmed such is possible?  Could you provide
> > > a link or example? Thanks!
> > 
> > try something like:
> > /etc/portage/env/nobin:
> > FEATURES="-buildpkg"
> > 
> > /etc/portage/package.env/nobin:
> > sys-kernel/gentoo-sources nobin  
> 
> That may work, I was not thinking to negate.  Trying it out now. But
> may lead me to another need... :)

My other need is that it does not seem you can use env files or patches
in profiles. I think I can do the env stuff via other means. Like
package.use. I do not want it in make.defaults, as this is per package.

The problem with env files is managing them per system. I want to do
things like that in profiles. It is to much work to manage that stuff
on each system. Even using things like ansible. Which is why I have
moved to custom profiles rather than per system stuff.

I will need to experiment a bit more. But IMHO a variable that can be
set in an ebuild, and bypassed if needed by operator at emerge time is
the simplest approach.

-- 
William L. Thomson Jr.


pgp_WKOlHcPmv.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

On Tue, 8 Aug 2017 20:15:07 +0200
Kristian Fiskerstrand  wrote:

> On 08/08/2017 08:10 PM, William L. Thomson Jr. wrote:
> >> I'm not sure explicitly about environment files, but it's an
> >> option to emerge.  For instance, I've added this to my
> >> EMERGE_DEFAULT_OPTS to ensure none of the following are built:
> >>
> >> --buildpkg-exclude "virtual/* sys-kernel/*-sources dev-perl/*
> >> perl-core/*"  
> > Something like this would NOT be desirable. It would have to be
> > done on every system.   
> It would have to be set on every binhost, not every client system..
> that said, I prefer env approach as it is easier to track changes
> properly in a CVS

That is assuming clients do not have FEATURES="buildpkg". I have that
set just in case I merge some package directly on a system. I have the
binary ready for others. I am trying out the env route now, but may
need some changes there.

Most are made on the binhost, but not all. Also I am not necessarily
using a binhost per se. I have portage on shared NFS. I also rsync some
binaries between NFS servers.

-- 
William L. Thomson Jr.


pgpzyH21mFLVx.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

On Tue, 8 Aug 2017 19:32:48 +0200
Kristian Fiskerstrand  wrote:

> On 08/08/2017 07:23 PM, William L. Thomson Jr. wrote:
> > Can you think of any? I cannot see any operator wanting a binary of
> > a binary, or a package of sources. When they already have a
> > sources  
> 
>  - The machine you're installing it on might not have internet access
> so you want to have the files stored in a single location for
> wrapping it up.

Not sure that would be any different between distfiles and packages.

>  - You might want an audit trail of installed packages, so using the
> binary files on specific media ensures same copy is installed
> everywhere

Doesn't the manifest/hash aspect of ebuilds ensure that for the
tarballs already? If installing same version, same tarball, Its all the
same already.

>  - You might be applying local patches through /etc/portage/patches
> that are distributed to all clients

This might be the strongest reason. Though would only apply to stuff
like say kernel sources. Not sure what patches could be applied to a
binary ebuild, -bin. A patch would not effect src_install per my
understanding.

> On 08/08/2017 07:23 PM, William L. Thomson Jr. wrote:
> >> it can already be controlled through env files.  
> > I was thinking it might, but having used them to skip other hooks. I
> > was thinking they could not be used as such for binary packages.
> > Have you confirmed such is possible?  Could you provide a link or
> > example? Thanks!  
> 
> try something like:
> /etc/portage/env/nobin:
> FEATURES="-buildpkg"
> 
> /etc/portage/package.env/nobin:
> sys-kernel/gentoo-sources nobin

That may work, I was not thinking to negate.  Trying it out now. But
may lead me to another need... :)

-- 
William L. Thomson Jr.


pgp09Sx3bV7Cd.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Kristian Fiskerstrand]

On 08/08/2017 08:10 PM, William L. Thomson Jr. wrote:
>> I'm not sure explicitly about environment files, but it's an option to
>> emerge.  For instance, I've added this to my EMERGE_DEFAULT_OPTS to
>> ensure none of the following are built:
>>
>> --buildpkg-exclude "virtual/* sys-kernel/*-sources dev-perl/*
>> perl-core/*"
> Something like this would NOT be desirable. It would have to be done on
> every system. 
It would have to be set on every binhost, not every client system.. that
said, I prefer env approach as it is easier to track changes properly in
a CVS

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

On Tue, 8 Aug 2017 13:34:00 -0400
Ian Stakenvicius  wrote:

> I'm not sure explicitly about environment files, but it's an option to
> emerge.  For instance, I've added this to my EMERGE_DEFAULT_OPTS to
> ensure none of the following are built:
> 
> --buildpkg-exclude "virtual/* sys-kernel/*-sources dev-perl/*
> perl-core/*"

Something like this would NOT be desirable. It would have to be done on
every system. Package env files, if possible, would be a better
approach as that could be distribute to be consistent on all systems.

-- 
William L. Thomson Jr.


pgpgDp0MP9oVI.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Ian Stakenvicius]

On 08/08/17 01:23 PM, William L. Thomson Jr. wrote:
> On Tue, 8 Aug 2017 19:11:18 +0200
> Kristian Fiskerstrand  wrote:
> 
>> it can already be controlled through env files.
> 
> I was thinking it might, but having used them to skip other hooks. I
> was thinking they could not be used as such for binary packages. Have
> you confirmed such is possible?  Could you provide a link or example?
> Thanks!

I'm not sure explicitly about environment files, but it's an option to
emerge.  For instance, I've added this to my EMERGE_DEFAULT_OPTS to
ensure none of the following are built:

--buildpkg-exclude "virtual/* sys-kernel/*-sources dev-perl/* perl-core/*"





signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

On Tue, 8 Aug 2017 10:18:36 -0700
Rich Freeman  wrote:
>
> Whether it belongs in the ebuild, or in metadata, is another matter.

The how, implementation, etc is not as important to me. I just think
there should be some means to prevent such. If there is not currently.

As mentioned there could be other uses/benefits of such depending on
how it is implemented. That is up to others. I just would like to not
have binaries made of packages I feel are a waste to be re-packaged
into a binpkg.

-- 
William L. Thomson Jr.

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Kristian Fiskerstrand]

On 08/08/2017 07:23 PM, William L. Thomson Jr. wrote:
> Can you think of any? I cannot see any operator wanting a binary of a
> binary, or a package of sources. When they already have a sources

 - The machine you're installing it on might not have internet access so
you want to have the files stored in a single location for wrapping it up.

 - You might want an audit trail of installed packages, so using the
binary files on specific media ensures same copy is installed everywhere

 - You might be applying local patches through /etc/portage/patches that
are distributed to all clients

On 08/08/2017 07:23 PM, William L. Thomson Jr. wrote:
>> it can already be controlled through env files.
> I was thinking it might, but having used them to skip other hooks. I
> was thinking they could not be used as such for binary packages. Have
> you confirmed such is possible?  Could you provide a link or example?
> Thanks!

try something like:
/etc/portage/env/nobin:
FEATURES="-buildpkg"

/etc/portage/package.env/nobin:
sys-kernel/gentoo-sources nobin

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Michał Górny]

On wto, 2017-08-08 at 10:18 -0700, Rich Freeman wrote:
> On Tue, Aug 8, 2017 at 10:11 AM, Kristian Fiskerstrand  
> wrote:
> > On 08/08/2017 06:37 PM, William L. Thomson Jr. wrote:
> > > I make a lot of binaries for use on other systems, to expedite updates.
> > > It does not make sense for some packages to ever be a binary package.
> > 
> > Any particular reason this decision shouldn't be left to the operator of
> > the binhost rather than the package maintainer? it can already be
> > controlled through env files.
> > 
> 
> Perhaps, but I could see some value in having some way to mark
> packages that don't compile anything.  This could also overlap
> somewhat with the desire to track arch-independent packages for
> stabilization purposes.  I could see it being useful to be able to
> obtain a list of all the binary packages in the Gentoo repo for QA
> purposes/etc as well.
> 
> Maybe it isn't a flag that outright blocks binary package building,
> but a way to mark such packages so that a user can apply a policy on
> top of this.
> 
> Whether it belongs in the ebuild, or in metadata, is another matter.

Does a package that builds documentation from sources count?

-- 
Best regards,
Michał Górny


signature.asc
Description: This is a digitally signed message part

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[William L. Thomson Jr.]

On Tue, 8 Aug 2017 19:11:18 +0200
Kristian Fiskerstrand  wrote:

> On 08/08/2017 06:37 PM, William L. Thomson Jr. wrote:
> > I make a lot of binaries for use on other systems, to expedite
> > updates. It does not make sense for some packages to ever be a
> > binary package.  
> 
> Any particular reason this decision shouldn't be left to the operator
> of the binhost rather than the package maintainer?

Can you think of any? I cannot see any operator wanting a binary of a
binary, or a package of sources. When they already have a sources
tarball. Maybe in the case of shipping binaries without sources. But I
am not sure if an binary ebuild ignores SRC_URI entirely.

I think moving binaries without needing the distfiles would be the
only reason why an operator may prefer binaries of stuff that does not
get compiled, just installed.

> it can already be controlled through env files.

I was thinking it might, but having used them to skip other hooks. I
was thinking they could not be used as such for binary packages. Have
you confirmed such is possible?  Could you provide a link or example?
Thanks!


-- 
William L. Thomson Jr.


pgpmdoJlHwS7Z.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Rich Freeman]

On Tue, Aug 8, 2017 at 10:11 AM, Kristian Fiskerstrand  wrote:
> On 08/08/2017 06:37 PM, William L. Thomson Jr. wrote:
>> I make a lot of binaries for use on other systems, to expedite updates.
>> It does not make sense for some packages to ever be a binary package.
>
> Any particular reason this decision shouldn't be left to the operator of
> the binhost rather than the package maintainer? it can already be
> controlled through env files.
>

Perhaps, but I could see some value in having some way to mark
packages that don't compile anything.  This could also overlap
somewhat with the desire to track arch-independent packages for
stabilization purposes.  I could see it being useful to be able to
obtain a list of all the binary packages in the Gentoo repo for QA
purposes/etc as well.

Maybe it isn't a flag that outright blocks binary package building,
but a way to mark such packages so that a user can apply a policy on
top of this.

Whether it belongs in the ebuild, or in metadata, is another matter.

-- 
Rich

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Kristian Fiskerstrand]

On 08/08/2017 06:37 PM, William L. Thomson Jr. wrote:
> I make a lot of binaries for use on other systems, to expedite updates.
> It does not make sense for some packages to ever be a binary package.

Any particular reason this decision shouldn't be left to the operator of
the binhost rather than the package maintainer? it can already be
controlled through env files.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] Prevent binary/non-compiled packages from binary package creation

[Rich Freeman]

On Tue, Aug 8, 2017 at 12:37 PM, William L. Thomson Jr.
 wrote:
>
> As most things I think this would require support in PMS, or next EAPI
> at minimum. But I think the EAPI comes from PMS, so they are related.
>

Actually, I'm not sure about this since it doesn't really affect what
is actually built, but I'll defer to others on that.  For example, in
[1] there is a statement "Package managers may recognise other tokens,
but ebuilds may not rely upon them being supported."  This strikes me
as that sort of thing, and indeed this might be the right place to put
it.  There is no real harm if a particular package manager doesn't
support this feature as it has no affect on what is installed.  I
believe we also use non-PMS variables for things like disabling QA
checks in tinderboxes and such, since this has no impact on package
managers.

A new EAPI would be defined in a new version of the PMS.  The PMS is
the specification that includes EAPI among other things.

1 - https://projects.gentoo.org/pms/6/pms.html#x1-920008.2.8

-- 
Rich