On 4/3/24 11:30 AM, Eddie Chapman wrote: > Just to report I've been able to remove app-arch/xz-utils from my own > workstation, with 2412 packages installed and running kde. I'm going to > roll it out to my other gentoo systems which have a lot less stuff on them > so am confident will be fine. It's not completely trivial but not as > difficult as I imagined it to be, certainly something an advance Gentoo > user could do if they wanted, with instructions. It does involve a > relatively small hack and functionality previously provided by xz-utils is > replaced by app-arch/p7zip.
I'd just like to clarify my previous posts: what you're describing here is neat and productive and valid to my eyes. Actually, I wish this had been the topic of the *first* post in this thread. :) Replacing implementations has several great uses. There's some prior art in make.conf, but it doesn't go far enough: PORTAGE_BZIP2_COMMAND BINPKG_COMPRESS BINPKG_COMPRESS_FLAGS Disregarding the security component entirely, one might wish to use pixz or pigz instead of the default programs. Why not 7zip as well? In terms of security, this suggests an easy and simple way both to allow users to depclean xz-utils without sacrificing the ability to install packages using *.tar.xz sources, and for Gentoo to roll out an update that would do this distribution-wide if necessary via a trivial configuration change. https://dev.gentoo.org/~ulm/pms/head/pms.html#section-12.3.15 may need updating to allow this. But it seems very valid to propose doing exactly that. I am not sure why it specifies e.g. "must ensure that GNU gzip" with heavy ties to implementations, when it doesn't specify such for compression. I'm guessing what you did was override/hook the unpack phase helper function and divert it to 7zip instead. ;) It would be interesting to have actual hooks for that instead. -- Eli Schwartz
OpenPGP_0x84818A6819AF4A9B.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
