Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies
On Wed, 2013-11-06 at 13:04 -0500, Ian Stakenvicius wrote: On 06/11/13 12:56 PM, yac wrote: On Wed, 06 Nov 2013 16:48:54 +0100 Alexis Ballier aball...@gentoo.org wrote: On Wed, 2013-11-06 at 10:15 -0500, Ian Stakenvicius wrote: However, it's been a long-standing general practise that if there are no deps in the tree older than what is necessary for a package, that package doesn't need to have a minimum version on the dependency atom. As such, issues similar to this are probably lying in wait all other the place in the tree. this is a common misconception: ebuilds must have min. deps matching their requirements (exactly because of this problem) it can be fixed on the user side by 'emerge -uDN world' meanwhile but this doesn't mean the ebuild doesn't have a bug, even if minor Alexis. When I started contributing via sunrise, I've been adding the minimal versions of dependencies as declared by upstream but I met with very strict enforcement of the policy to not specify minimal version if all the ones in current tree satisfies. Is it documented somewhere or is it just unwritten consensus? What I see is only Ebuild Policy [1e] which doesn't deal with this. .. [1e] http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2chap=1 I searched as well, and couldn't find anything documented one way or the other, either. I concluded that it's unwritten consensus. That's the main reason I wanted to start this discussion -- to effectively start documenting it and get dev's all on the same page. To be honest I think it should be policy or at least a written-down guideline, that dev's should do this within reason -- if an older-than-minimum version of something has been in the tree within the past year. Gone for more than a year should be safe, I expect. its kind of common sense IMHO but if you want a policy, then go for it :) there shouldn't be any time limit; portage doesnt do -uDN by default and people want this because of the if it ain't broken don't fix it motto. with prod servers you want to update portage for EAPI stuff, get security fixes, but not much more; even an up to date box can have 5 years gone packages. in short: if a package requires version X then the ebuild should require version X; it can be forgotten but it's a bug.
[gentoo-dev] Re: OCSP Was: friendly reminder wrt net virtual in init scripts
Thomas D. posted on Thu, 07 Nov 2013 02:00:29 +0100 as excerpted: Duncan wrote: Meanwhile, another question for Thomas. Is this certificate stapling the same thing google chrome is now doing for the google site, that enabled it to detect the (I think it was) Iranian and/or Chinese CA tampering, allowing them to say a google cert was valid that was actually their MitM cert, as appeared in the tech-news a few months ago? Or was that something different? No, OCSP Stapling is something else. Guess you are talking about HSTS and SSL pinning [1,2]: In Google Chrome, they hard coded some certificates/certificate meta data [3] which must be present in every certificate used for any Google site. That was it, yes. Thanks greatly for clearing up my confusion. =:^) -- Duncan - List replies preferred. No HTML msgs. Every nonfree program has a lord, a master -- and if you use the program, he is your master. Richard Stallman
Re: [gentoo-dev] Suggestion: support the Dev team with system resources
Dear Denis, Denis M. g...@politeia.in writes: Please review this, and if you agree that it'd be a good idea come with any suggestions to make it happen as well as with any other thoughts/sys-specs/instances we should be looking for. Thanks for the offering. Though not a member, AT teams might benefit from such a build farm. What are you suggesting practically, making a policy for everyone to donate VM to Gentoo, or developing a midware to do so? Cheers, Benda
Re: [gentoo-dev] Suggestion: support the Dev team with system resources
On 11/07/2013 12:53 PM, hero...@gentoo.org wrote: Dear Denis, Hi Benda, Denis M. g...@politeia.in writes: Please review this, and if you agree that it'd be a good idea come with any suggestions to make it happen as well as with any other thoughts/sys-specs/instances we should be looking for. Thanks for the offering. Though not a member, AT teams might benefit from such a build farm. Almost every Gentoo dev that does software testings of some sorts could benefit from these build farms (although I'd refrain from using that term ;) ..). What are you suggesting practically, making a policy for everyone to donate VM to Gentoo, or developing a midware to do so? My initial idea was to suggest this here (in the gentoo-dev@ ML) first and see what you guys think about the idea. If it gets accepted by majority, then a policy, rules, etc... should be gathered through your comments here. After that we could make a wiki page (as Ago suggested while we were talking about this in IRC) and spam the gentoo-user ML and see how many good people are there :-). Cheers, Benda Regards, Denis M. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Suggestion: support the Dev team with system resources
On Thu, Nov 7, 2013 at 7:14 AM, Denis M. g...@politeia.in wrote: Almost every Gentoo dev that does software testings of some sorts could benefit from these build farms (although I'd refrain from using that term ;) ..). Don't let me put a damper on your plans as-is, but I'd be interested if developers who frequently perform these kinds of tasks post about what they're actually doing. Rather than just asking people to give random others ssh access to random boxes, it might make sense to streamline certain tasks. Imagine a tool that takes in a list of atoms and dumps a tarball of build logs in some standard layout. That could be easily distributed (assuming packages were reasonably independent), and tools like tatt might even be adapted. Not a reason to delay what you propose, just another opportunity.
Re: [gentoo-dev] Suggestion: support the Dev team with system resources
Rackspace (where I work) currently has a developer discount program. I think we also host some open source stuff for various projects. Right now you can try to use http://developer.rackspace.com/ but if we want to make this more official I can ask around. Let me know if we want this as a more official thing (rackspace donating compute resources), no guarantees though :D. -- -- Matthew Thode (prometheanfire) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies
Alexis Ballier wrote: its kind of common sense IMHO Unfortunately what makes sense to people is never common. :\ there shouldn't be any time limit .. in short: if a package requires version X then the ebuild should require version X; it can be forgotten but it's a bug. +1 //Peter
Re: [gentoo-dev] Suggestion: support the Dev team with system resources
On 11/07/2013 02:48 PM, Matthew Thode wrote: Rackspace (where I work) currently has a developer discount program. I think we also host some open source stuff for various projects. Right now you can try to use http://developer.rackspace.com/ but if we want to make this more official I can ask around. Let me know if we want this as a more official thing (rackspace donating compute resources), no guarantees though :D. To be honest, I would like Gentoo infra to come up with a solution sometime... Last time (a year ago) i asked them about this, they said they have a cluster/big box for this purpose but they just didn't have the time to deploy it properly or something. Not everyone can afford paid solutions when it comes to contributing to free software -- Regards, Markos Chandras
Re: [gentoo-dev] Suggestion: support the Dev team with system resources
On 11/07/2013 12:26 PM, Markos Chandras wrote: On 11/07/2013 02:48 PM, Matthew Thode wrote: Rackspace (where I work) currently has a developer discount program. I think we also host some open source stuff for various projects. Right now you can try to use http://developer.rackspace.com/ but if we want to make this more official I can ask around. Let me know if we want this as a more official thing (rackspace donating compute resources), no guarantees though :D. To be honest, I would like Gentoo infra to come up with a solution sometime... Last time (a year ago) i asked them about this, they said they have a cluster/big box for this purpose but they just didn't have the time to deploy it properly or something. Not everyone can afford paid solutions when it comes to contributing to free software iirc, we give $200 if infra for developer accounts for a couple of months. If a deal is struck it would likely be more and forever or something. -- -- Matthew Thode (prometheanfire) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Suggestion: support the Dev team with system resources
On 11/07/2013 08:59 PM, Matthew Thode wrote: On 11/07/2013 12:26 PM, Markos Chandras wrote: On 11/07/2013 02:48 PM, Matthew Thode wrote: Rackspace (where I work) currently has a developer discount program. I think we also host some open source stuff for various projects. Right now you can try to use http://developer.rackspace.com/ but if we want to make this more official I can ask around. Let me know if we want this as a more official thing (rackspace donating compute resources), no guarantees though :D. To be honest, I would like Gentoo infra to come up with a solution sometime... Last time (a year ago) i asked them about this, they said they have a cluster/big box for this purpose but they just didn't have the time to deploy it properly or something. Not everyone can afford paid solutions when it comes to contributing to free software iirc, we give $200 if infra for developer accounts for a couple of months. If a deal is struck it would likely be more and forever or something. I've been running my VM for Ago for 13 months now (started on september 2012), where are my $200? ;-) Regards, Denis M. (Phr33d0m) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Suggestion: support the Dev team with system resources
On Thu, Nov 7, 2013 at 3:08 PM, Denis M. g...@politeia.in wrote: On 11/07/2013 08:59 PM, Matthew Thode wrote: iirc, we give $200 if infra for developer accounts for a couple of months. If a deal is struck it would likely be more and forever or something. I've been running my VM for Ago for 13 months now (started on september 2012), where are my $200? ;-) Can't argue with that. :) Seriously, though, I'd love to see these needs better supported. I think we need to start by defining what the needs actually are (less redundancy, more consistency, etc). Then we figure out how to best address them. It could be individuals donating VMs, or it might be Gentoo buying resources from any number of vendors, or it could be Gentoo going out and looking for donors. I suspect that if we went out with something specific in mind we might be able to find a sponsor - but it is always best to have some idea just what we're going to be using any donations for (this will be our stage3 builder which cranks out a new stage3 every 20 minutes and reports build failures to double as a tinderbox, etc). Rich
Re: [gentoo-dev] Suggestion: support the Dev team with system resources
On 11/07/2013 09:18 PM, Rich Freeman wrote: On Thu, Nov 7, 2013 at 3:08 PM, Denis M. g...@politeia.in wrote: On 11/07/2013 08:59 PM, Matthew Thode wrote: iirc, we give $200 if infra for developer accounts for a couple of months. If a deal is struck it would likely be more and forever or something. I've been running my VM for Ago for 13 months now (started on september 2012), where are my $200? ;-) Can't argue with that. :) Seriously, though, I'd love to see these needs better supported. I think we need to start by defining what the needs actually are (less redundancy, more consistency, etc). Then we figure out how to best address them. It could be individuals donating VMs, or it might be Gentoo buying resources from any number of vendors, or it could be Gentoo going out and looking for donors. I suspect that if we went out with something specific in mind we might be able to find a sponsor - but it is always best to have some idea just what we're going to be using any donations for (this will be our stage3 builder which cranks out a new stage3 every 20 minutes and reports build failures to double as a tinderbox, etc). Rich Currently Diego's tinderbox does something like that AFAIK. Compiles things and (almost?) automatically submits bugs against the packages with the relevant logs, etc... The initial idea behind my suggestion was that the devs would have the enough system resources to address these bugs (and the ones reported from the users, of course). An example here could be the following: finding/confirming a compilation bug for a package with ~10 USE flags could take tatt quite some compilations depending on the USE flag's combinations (this is actually what arch testers do in order to stabilize/keyword a package). Another example would be, as I mentioned in my previous mails to this thread - a new glibc version comes out and (as you know) quite some packages fail to compile against it. Having the resources, it would be possible to track these packages faster instead of relying on random users/testers to report them to bugs.g.o. And a last one would be testing new KDE/GNOME/whatever-meta-with-huge-number-of-packages. As an AT member myself I could only give examples on how using such system of donating/providing instances would be a benefit. For a comprehensive list of the tasks (for consistency as you said), I'd wait for actual devs to enumerate their needs. I doubt this will go as further as Gentoo actually *buying* resources. The reason is obvious - things have been going fine till now, why throw monnies for something as 'unnecessary' (which is why I haven't received a penny for it, hehehe), that's why I came with the donorship-of-instances version. I believe the 'going out looking for donors' part you said is basically what I'm suggesting here, although I believe you meant donors = huge companies providing clusters, and I doubt that'll happen. From my observation, you can get a lot of work done on a simple 2GB-ram-4-cores VirtualBox VM. Not to talk that lots of people nowadays have these resources to spare. That's why getting actual people (and not companies or whatever) to donate their system resources is easier to get/reach. Regards, Denis M. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Suggestion: support the Dev team with system resources
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/11/13 09:20 AM, Rich Freeman wrote: On Thu, Nov 7, 2013 at 7:14 AM, Denis M. g...@politeia.in wrote: Almost every Gentoo dev that does software testings of some sorts could benefit from these build farms (although I'd refrain from using that term ;) ..). Don't let me put a damper on your plans as-is, but I'd be interested if developers who frequently perform these kinds of tasks post about what they're actually doing. Rather than just asking people to give random others ssh access to random boxes, it might make sense to streamline certain tasks. Imagine a tool that takes in a list of atoms and dumps a tarball of build logs in some standard layout. That could be easily distributed (assuming packages were reasonably independent), and tools like tatt might even be adapted. Not a reason to delay what you propose, just another opportunity. I guess nobody wants to try and setup a VM-image-based heterogeneous grid system, huh? :) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlJ8AcIACgkQ2ugaI38ACPCqHwEAulNSjBvU4WsLu91zChM8esBf M7FWlAdM++LUsfZ0y/cA/3oZp4+7mjeWbJdUlNxtAGBDYYxD9WfNzpitwX0IFWnN =q61v -END PGP SIGNATURE-
Re: [gentoo-dev] Suggestion: support the Dev team with system resources
On 11/07/2013 03:07 PM, Denis M. wrote: On 11/07/2013 09:18 PM, Rich Freeman wrote: On Thu, Nov 7, 2013 at 3:08 PM, Denis M. g...@politeia.in wrote: On 11/07/2013 08:59 PM, Matthew Thode wrote: iirc, we give $200 if infra for developer accounts for a couple of months. If a deal is struck it would likely be more and forever or something. I've been running my VM for Ago for 13 months now (started on september 2012), where are my $200? ;-) Can't argue with that. :) Seriously, though, I'd love to see these needs better supported. I think we need to start by defining what the needs actually are (less redundancy, more consistency, etc). Then we figure out how to best address them. It could be individuals donating VMs, or it might be Gentoo buying resources from any number of vendors, or it could be Gentoo going out and looking for donors. I suspect that if we went out with something specific in mind we might be able to find a sponsor - but it is always best to have some idea just what we're going to be using any donations for (this will be our stage3 builder which cranks out a new stage3 every 20 minutes and reports build failures to double as a tinderbox, etc). Rich Currently Diego's tinderbox does something like that AFAIK. Compiles things and (almost?) automatically submits bugs against the packages with the relevant logs, etc... The initial idea behind my suggestion was that the devs would have the enough system resources to address these bugs (and the ones reported from the users, of course). An example here could be the following: finding/confirming a compilation bug for a package with ~10 USE flags could take tatt quite some compilations depending on the USE flag's combinations (this is actually what arch testers do in order to stabilize/keyword a package). Another example would be, as I mentioned in my previous mails to this thread - a new glibc version comes out and (as you know) quite some packages fail to compile against it. Having the resources, it would be possible to track these packages faster instead of relying on random users/testers to report them to bugs.g.o. And a last one would be testing new KDE/GNOME/whatever-meta-with-huge-number-of-packages. As an AT member myself I could only give examples on how using such system of donating/providing instances would be a benefit. For a comprehensive list of the tasks (for consistency as you said), I'd wait for actual devs to enumerate their needs. I doubt this will go as further as Gentoo actually *buying* resources. The reason is obvious - things have been going fine till now, why throw monnies for something as 'unnecessary' (which is why I haven't received a penny for it, hehehe), that's why I came with the donorship-of-instances version. I believe the 'going out looking for donors' part you said is basically what I'm suggesting here, although I believe you meant donors = huge companies providing clusters, and I doubt that'll happen. From my observation, you can get a lot of work done on a simple 2GB-ram-4-cores VirtualBox VM. Not to talk that lots of people nowadays have these resources to spare. That's why getting actual people (and not companies or whatever) to donate their system resources is easier to get/reach. Regards, Denis M. I may also have a small openstack cluster I can let people use soonish. Working on a backlog of issues now. -- -- Matthew Thode (prometheanfire) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies
Le jeudi 07 novembre 2013 à 10:44 +0100, Alexis Ballier a écrit : in short: if a package requires version X then the ebuild should require version X; it can be forgotten but it's a bug. That _is_ our policy. Ebuilds should - at the very least - mirror what upstream's build script requires. So, count my +1 there. Rémi
Re: [gentoo-dev] Suggestion: support the Dev team with system resources
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07.11.2013 21:18, Rich Freeman wrote: Seriously, though, I'd love to see these needs better supported. I think we need to start by defining what the needs actually are (less redundancy, more consistency, etc). Then we figure out how to best address them. It could be individuals donating VMs, or it might be Gentoo buying resources from any number of vendors, or it could be Gentoo going out and looking for donors. I agree with that. It's easier to decide what to do if we know what we need. A solution built by the infra team would be the best solution for the same reasons why it's better to put stuff on the devspace instead of private servers (availabilty; who can fix stuff, logins, etc). But if someone need resources and a box to play with I would happily provide an Xen instance. Just wondering: How is the AT for $minorarch done? Is it possible to run, say, mips on xen/whatever through some emulation layer or is real hardware a requirement for this archs? For the security concerns: I think these boxes should be used for testing only and not for development - every commit must be done from a box fully under the dev's control. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSfHDMAAoJEKCEBkJ3xQHt2NgH/RxKb8nQDTnpjmTjkiJs/i04 JC36jxOj/ZMSSmyayssw/lpIHVB0z3V+nypLwDZnoTR5AfqQZ2O63G2OUSQwl0MN SCHYNvrQrqxPeRmQ8SBP8VMiDK6vClgRSSnJaRAKKI+ZzpDVf5BjljRr4YeakV/t iEvVpWeFt+gRDZBdFL2mInkbJ+3QBuPU08PS2p2mdrfZ3/b046eqZBQcmjnIk2/r rfVkaQ69IzS90tvv55AM3jjGIFxa/Fh5eIw7CC/VCyhiqH2egRfTTaCfdFz4VWTs 2IWNuwK3K9hxiCxzsH+IvLtqIvNYVXHdqy/6JfcIfGdlEI7/rdk2/I8VpWaOKy0= =36Sm -END PGP SIGNATURE-
[gentoo-dev] removing vulnerable versions of dev-lang/v8
For some context of this please see http://thread.gmane.org/gmane.linux.gentoo.devel/88222 v8-3.20.17.7 fixes a memory corruption vulnerability, see http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html However, we still have v8-3.19 and even 3.18 in portage - this is probably an oversight when stabilizing new versions. Problem #1 is that sci-geosciences/osgearth-2.4 depends on =dev-lang/v8-3.18.5.14 (see https://bugs.gentoo.org/show_bug.cgi?id=484786 for context). It doesn't work with more recent v8, but it can be made to not depend on v8. Problem #2 is dev-db/drizzle having a v8 USE flag. The ebuild is actually broken for other reasons, see https://bugs.gentoo.org/show_bug.cgi?id=490216. I'd like that USE flag to be removed and v8 to always be disabled in drizzle. With that I'd like to proceed with hard masking v8. I'm working with upstream on better API stability, it seems to be working pretty well. That's still a very long way to ABI stability, if at all possible. Please comment on possible solutions for removing known vulnerable v8 versions from the tree. Paweł signature.asc Description: OpenPGP digital signature