Re: [gentoo-dev] Re: Things one could be upset about

2015-01-26 Thread Rich Freeman 
On Mon, Jan 26, 2015 at 8:21 AM, Duncan 1i5t5.dun...@cox.net wrote:
 The result of the current policy is that if you're waiting for the GLSA,
 unless it's _extreme_ priority (heartbleed level), on at least amd64,
 you're very often sitting there exposed for well over a week, and too
 often a month, after the fix is out there, actually installed on /my/
 systems.  And to me that's a game of Russian Roulette odds that I'm
 simply not willing to play.

Agree.  Honestly, I think we should really reconsider the current GLSA
policy.  I half-consider unsubscribing to them since they often come
out weeks after a vulnerability is fixed on amd64, let alone
discovered.  If you're relying on glsa-check as the indicator as to
whether you should update, then you're probably going to be vulnerable
for weeks.

I wonder if it would make sense to just send them out on first-fix, or
even on stablereq.  The main reason that I'd hold off on sending them
out at first sign of vulnerability is that information on what
versions are/aren't vulnerable is going to be hazy, and it won't have
clear instructions on what to do.  You might end up picking the wrong
version to update to and then find yourself having to update again or
downgrading or running ~arch because the package maintainer decided to
do something different.  By the time you have a stablereq things have
settled down - maybe if a bug is found on another arch you might end
up with a revbump, but that is going to be minor impact and anybody
doing daily updates is going to get hit by that anyway.

From a PR standpoint we'll be communicating to some users that they
are vulnerable, and we haven't completely fixed the issue yet.  I
think we just need to reset expectations here.  The fact is that today
they're just as vulnerable, but we don't broadcast that.  Sending out
notice sooner will help out users who want to update based on GLSAs,
and if there isn't a stable version yet the user can decide whether to
just wait for testing or move ahead on their own.

It just seems to me that the current approach of sending out GLSAs a
month after the fix is available for 98% of our users makes them
fairly unuseful.

--
Rich

Re: [gentoo-dev] Re: Things one could be upset about

2015-01-26 Thread Róbert Čerňanský 
On Mon, 26 Jan 2015 09:20:30 -0500
Rich Freeman ri...@gentoo.org wrote:

 On Mon, Jan 26, 2015 at 8:21 AM, Duncan 1i5t5.dun...@cox.net wrote:
  The result of the current policy is that if you're waiting for the
  GLSA, unless it's _extreme_ priority (heartbleed level), on at
  least amd64, you're very often sitting there exposed for well over
  a week, and too often a month, after the fix is out there, actually
  installed on /my/ systems.  And to me that's a game of Russian
  Roulette odds that I'm simply not willing to play.
 
 From a PR standpoint we'll be communicating to some users that they
 are vulnerable, and we haven't completely fixed the issue yet.  I
 think we just need to reset expectations here.  The fact is that today
 they're just as vulnerable, but we don't broadcast that.  Sending out
 notice sooner will help out users who want to update based on GLSAs,
 and if there isn't a stable version yet the user can decide whether to
 just wait for testing or move ahead on their own.

I do check also other sources of security related info and take
measures if it affects me (update affected package, change
configuration, ...).  I should say earlier security updates instead
of GLSAs which would be actually closer to reality.

I agree that (unfixed) security issues should be communicated so we do
not put false hopes to GLSA.

Robert


-- 
Róbert Čerňanský
E-mail: ope...@tightmail.com
Jabber: h...@jabber.sk

Re: [gentoo-dev] Re: Things one could be upset about

2015-01-25 Thread Róbert Čerňanský 
On Sun, 25 Jan 2015 04:29:43 + (UTC)
Duncan 1i5t5.dun...@cox.net wrote:

 Alexey Mishustin posted on Sat, 24 Jan 2015 21:54:06 +0400 as
 excerpted:
 
  2015-01-20 14:42 GMT+04:00 Róbert Čerňanský ope...@tightmail.com:
 
  I somehow thought that edit the overgrowing package.use
  file upon each emerge world annoys anyone the same as me.
  
  But for me this is one of the most useful and convenient options in
  Gentoo. Yes, I do edit package.use almost every emerge world. And I
  like to do it. And I don't want to delegate this right to any
  program - portage, or any other.
 
 Agreed that I don't want to (and won't) delegate that decision, but 
 almost every emerge world?  Not here.  So ???
 
 I do edit package.use (or my global USE flags) occasionally, but not
 as often as the above implies.  What might I be doing different?
 Well, here's what I do:
 
 1) I try to sync and update deep newuse @world once a week, tho
 sometimes it's every two weeks (but sometimes it's daily).  I suppose
 if people only get to it every couple months, they'll have more
[...]
 So maybe it's simply that I update frequently enough, tho I /do/ run 
 ~arch as well, which changes much faster than stable, and I even run

More frequent updates is most likely the reason that you do not have
to edit use flags every time.  Running testing perhaps does not
increase the editing frequency because dependency changes are the same
regardles of how many bumps a package has.  For example in testing
you'll get following updates of package foo: foo-1.1, ~foo-1.2,
~foo-1.3, foo-1.4.  In stable, I would get: foo-1.1, foo-1.4.  If
dependency changes in 1.3, both of us could have to edit USE flags
once.

I update every 2-4 months (only GLSAs in between) therefore my
experience is that I have to edit it every time (not for GLSAs of
course).

 2) My global USE= starts with -*.  I got tired of worrying about what
[...]
 3) I don't normally distinguish between local and global USE flags.
 I normally treat them all as global and set them globally in my
 make.conf use file[1].  When I encounter a new USE flag, because of
 the -* in USE, it's off by default.  If I decide I want it off, no
 problem, it's off. If I decide I want it on, I run an equery hasuse
 flag to see if any other package uses it.  If nothing else uses it,
[...]
 Similarly, if I encounter a new USE flag that's on already, obviously 
 some other package I use is already using it and the entry is in my
 use file or it wouldn't be on already, due to the -* in that use
 file. That's a strong hint what I'm likely to want the default to
 be.  If I decide I want it off anyway, I run an equery hasuse flag
[...]
 So for all flags, if I want the default off, due to the -* in my use 
 file, it's off.  If I want the default on, it's in my use file,
 turning it on.
 
 4) The result is that my package.use files contain ONLY non-default 
 entries.

More or less same here, except -* as the default.  I trust developers
that they are choosing wisely in profile and ebuilds. ;-)  If not, I
see it in emerge -av output anyway and can disable/enable particular
flag.  But generally I have vast majority of flags in make.conf and
exceptions in package.use.

 When I set such an entry, I prefix a comment line with the date and
 an explanation of WHY the entry needs to be there, different from my
 normal default settings.  Sometimes, it's due to a bug, and a couple
 versions later I can go thru and test with that entry commented, to
 see if the bug is fixed, yet.  Other times it's due to a use-dep from
 some other package I have installed.  Both qt and kde tend to have

This where we get to the point.  If you set USE flag because of a bug
or because of dependency it is not because you *want to* but because
you *have to* (or portage *needs to*).  Therefore you need to add a
comment WHY you did it.

For example I have -doc in make.conf because I do *not want* docs
globally.  But I have 'dev-lang/python doc' in package.use because I
develop in Python and *want* the documentation for it.  Such entry
does not need a comment, because I simply know what I want.

Another example.  I have -python globally and have been using
app-mobilephone/gammu.  Now I want to emerge app-mobilephone/wammu.
But it needs +python for gammu, so I *have to* set
'app-mobilephone/gammu python' in package.use.  In this case I also
add a comment which explains the reason because it is not what *I
want* it is what *portage needs*.  Once this dependency is gone
(either because wammu stops requiring it or I unmerge it) it is on me
to detect it and remove the entry.  So effectively I manage portage's
stuff in my configuration file.

 Regardless of why it's there, however, because only non-default
 entries are in package.use, they're the obvious exception.

You somehow do not distinguish between those two types of exceptions
explained in examples above.

 And as exceptions, they don't tend to change that often. =:^)
 Generally,

They might change as

Re: [gentoo-dev] Re: Things one could be upset about

2015-01-21 Thread Róbert Čerňanský 
On Wed, 21 Jan 2015 01:57:27 + (UTC)
Duncan 1i5t5.dun...@cox.net wrote:

 Róbert Čerňanský posted on Tue, 20 Jan 2015 06:51:01 +0100 as
 excerpted:
 
  On Mon, 19 Jan 2015 20:51:31 + Ciaran McCreesh
  ciaran.mccre...@googlemail.com wrote:
  
  On Mon, 19 Jan 2015 21:44:25 +0100 Róbert Čerňanský
  ope...@tightmail.com wrote:
   From my point of view it would do much help if portage resolves
   USE dependencies automatically instead of telling the user to
   change USE flags manually (I am talking about bug #258371).
  
  This is only possible in carefully selected circumstances, and to
  get it to work more generally would require a lot of hinting from
  package maintainers.
  
  But portage already knows that.  It tells the user which USE flags
  needs to be changed in order to emerge a package.  It should just
  go one step further - to make the proposed change happen by itself.
 
 Actually, current portage (2.2.15 is what I have installed here ATM)
 does exactly that, making changes to the appropriate package.* files
 as necessary, mediated only by the usual CONFIG_PROTECT variables.

No, no, no that is not the right solution.  Portage should _not_ touch
my precious config files crafted for many years.  It should store the
USE related dependencies info in its _internal_ structures (somewhere
in /var/db/pkg I presume).  Sorry I was not clear previously.  Moreover
it should be able to depclean them - revert the USE changes once the
dependency is no longer needed (for example with new emerge option
--use-depclean).  Just like with standard package dependencies.

 Since /etc/portage is CONFIG_PROTECTed by default, these changes
 normally first appear in that feature's .* files, to be merged by the
[...]
 tolerable. As others in-thread have stated, we don't believe that's
 something portage should be messing with.

Totally agree, it should mess only with /var/db/pkg or so, not /etc.

[... sniped great explanation of current testing portage behaviour in
this regard; thanks for that, even though it is not what I crave for]

Robert


-- 
Róbert Čerňanský
E-mail: ope...@tightmail.com
Jabber: h...@jabber.sk