Re: [gentoo-dev] Re: Short bugzilla outage today between 2100-2200 UTC
On Thu, 2012-07-05 at 08:19 +0200, Xavier Miller wrote: > Quoting Theo Chatzimichos : > > > Finished, everything seems fine again. Please let us know if you > > notice any weird behavior > > > Hello, > > When I want to see an attachment, the URL becomes > https://#bug_od#.b.g.o and I need to register the certificate for > every bug. > > Xavier This has been the case for over a year probably. Gentoo's bugzilla uses https with CAcert certificates which are not trusted by default on most non-Gentoo machines. There have been some discussions on gentoo-core about moving to a more widely trusted certificate authority; as far as I remember, the big stumbling block was that the big certificate authorities wanted too much personal information from Gentoo trustees. In the meantime, unless you are on a locked-down system, you can install the CAcert class 3 certificate from http://www.cacert.org/index.php?id=3 -Alexandre
Re: [gentoo-dev] Re: Short bugzilla outage today between 2100-2200 UTC
Quoting Xavier Miller : Quoting Theo Chatzimichos : Finished, everything seems fine again. Please let us know if you notice any weird behavior Hello, When I want to see an attachment, the URL becomes https://#bug_od#.b.g.o and I need to register the certificate for every bug. Xavier Sorry, this is only one new certificate, which applies for [0-9].b.g.o Not a problem. Xavier.
Re: [gentoo-dev] Re: Short bugzilla outage today between 2100-2200 UTC
Quoting Theo Chatzimichos : Finished, everything seems fine again. Please let us know if you notice any weird behavior Hello, When I want to see an attachment, the URL becomes https://#bug_od#.b.g.o and I need to register the certificate for every bug. Xavier
Re: [gentoo-dev] grub:2 keywords
On Tue, Jul 3, 2012 at 9:20 AM, Jeroen Roovers wrote: > On Mon, 2 Jul 2012 15:02:28 -0400 > Mike Gilbert wrote: > >> That is exactly what Doug (cardoe) proposed, and he is working on the >> docs for that. >> > > Ah yes, it's been a long-winded thread. :) > > > jer > I got a little busier this past weekend than I had intended (loving that leap second bug) but here's the first draft: http://dev.gentoo.org/~cardoe/docs/grub2-migration.xml It will be integrated into the official Gentoo doc set once I get a nod from the docs guys. -- Doug Goldstein
Re: [gentoo-dev] Kernel compiles and you
On Thu, Jul 5, 2012 at 4:36 AM, Albert W. Hopkins wrote: > There are kernel-dependent packages that (seem to) always look for > configuration options, symbols, etc. in /usr/src/linux. When you use O= > then those features do not exist in /usr/src/linux and thus those > packages will fail. So I have basically abandoned using O=. Try setting KBUILD_OUTPUT in /etc/make.conf — it will be used by linux-info.eclass (and linux-mod.eclass) automatically, so most kernel module-compiling ebuilds will do the right thing. There are exceptions, such as the VirtualBox packages above, which want access to the build tree outside module compilation for whatever reason, but I already found a fix for that specific problem (--with-linux=${KV_OUT_DIR}), so count me as a fan of O=. You can also apparently set KERNEL_DIR to something other than /usr/src/linux, but with "eselect kernel" available, this variable is probably best left alone. -- Maxim Kammerer Liberté Linux: http://dee.su/liberte
Re: [gentoo-dev] Kernel compiles and you
On Wednesday 04 July 2012 21:36:02 Albert W. Hopkins wrote: > Might it be better if you could tell portage to look for kernel builds > in another location than /usr/src/linux. Perhaps you can already and I'm > not aware. export KBUILD_OUTPUT=... -mike signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] Kernel compiles and you
On Thu, 2012-07-05 at 02:49 +0300, Maxim Kammerer wrote: > On Wed, Jul 4, 2012 at 9:56 PM, William Hubbs wrote: > > Actually the directories do not need write permissions either. Take a > > look at the O= option documented in /usr/src/linux/README. > > The KBUILD_OUTPUT / O= option seems like the best solution to me > (especially so as I build three kernel images from a single sources > tree), and it works well, except that it sometimes doesn't with > especially monstrous and hard to configure packages such as > virtualbox-guest-additions — see bug #424816. I've experimented with O= in the past. It seems like a good solution, however... There are kernel-dependent packages that (seem to) always look for configuration options, symbols, etc. in /usr/src/linux. When you use O= then those features do not exist in /usr/src/linux and thus those packages will fail. So I have basically abandoned using O=. Might it be better if you could tell portage to look for kernel builds in another location than /usr/src/linux. Perhaps you can already and I'm not aware. If not, then this just be a lot of work and perhaps the benefits do not outweigh the effort involved? Anyway, just something to think about. -a
Re: [gentoo-dev] Kernel compiles and you
On 07/04/2012 07:58 PM, Rich Freeman wrote: > On Wed, Jul 4, 2012 at 7:49 PM, Maxim Kammerer wrote: >> The KBUILD_OUTPUT / O= option seems like the best solution to me >> (especially so as I build three kernel images from a single sources >> tree), and it works well, except that it sometimes doesn't with >> especially monstrous and hard to configure packages such as >> virtualbox-guest-additions — see bug #424816. > > From a compatibility and simplicity standpoint simply making the > directory group-writable seems like the simplest solution. However, > the group should be something dedicated - not users. A similar problem occurs in sys-freebsd/virtio-kmod. The ebuild works around it by copying all of the files into the build directory like what FreeBSD Ports does. We were able to improve on that by only copying the files that were needed and using hard links whenever possible. It should be possible to do the same here. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Kernel compiles and you
On Wed, Jul 4, 2012 at 7:49 PM, Maxim Kammerer wrote: > The KBUILD_OUTPUT / O= option seems like the best solution to me > (especially so as I build three kernel images from a single sources > tree), and it works well, except that it sometimes doesn't with > especially monstrous and hard to configure packages such as > virtualbox-guest-additions — see bug #424816. >From a compatibility and simplicity standpoint simply making the directory group-writable seems like the simplest solution. However, the group should be something dedicated - not users. While I can see how build system bugs might be bad when running as root, you have to keep in mind that chances are that once you're done with building the kernel you're going to execute it in ring-0. When you run make modules_install that is also going to need to run as root and it could clobber things as well. About the only really "safe" approach would be to run as a limited user, install it into some offset/chroot, package it, and then install it using portage as a binpkg. That actually has advantages on many levels, and it basically is what we do with everything else. Rich
Re: [gentoo-dev] Kernel compiles and you
On Wed, Jul 4, 2012 at 9:56 PM, William Hubbs wrote: > Actually the directories do not need write permissions either. Take a > look at the O= option documented in /usr/src/linux/README. The KBUILD_OUTPUT / O= option seems like the best solution to me (especially so as I build three kernel images from a single sources tree), and it works well, except that it sometimes doesn't with especially monstrous and hard to configure packages such as virtualbox-guest-additions — see bug #424816. [1] https://bugs.gentoo.org/show_bug.cgi?id=424816 -- Maxim Kammerer Liberté Linux: http://dee.su/liberte
Re: [gentoo-dev] Kernel compiles and you
On Wed, Jul 04, 2012 at 07:46:47PM +0200, Tobias Klausmann wrote: > Hi! > > Recently, I have again bumped into the question whether one > should compile the kernel as root. One of the things that puzzles > me is why almost every HowTo, blog post and book recommends > building as non-root -- yet basically no distribution /helps/ the > user with doing that. Most distros don't have to do anything, they are not requiring users to build their own kernels :) So in reality, they all do help their users with this, it's trivial to build a kernel as a user on those distros. Actually, it is also on Gentoo, there's no need to ever put a kernel anywhere except in your home directory when building it. Oh, and one more reason you "never want to build your kernel as root", a few years ago, the kernel build process had a bug where it accidentally tried to do a 'rm -rf /*' on your filesystem. None of the kernel developers ever noticed that as they didn't build a kernel as root, and the bug stuck around for a relativly long time (weeks at least.) There was also some semi-serious talk about leaving it in the build as well, just to "catch" people who were doing this, but sanity prevailed and it was fixed. But, you never know if that old bug might slip back in one day :) good luck, greg k-h
[gentoo-dev] Re: Short bugzilla outage today between 2100-2200 UTC
On Wed, Jul 4, 2012 at 10:16 PM, Theo Chatzimichos wrote: > All, > > bugs.gentoo.org will be down for 30 minutes sometime between 2100 and 2200 > UTC. We are migrating the database replication to newer and faster boxes. > Apologies for the short notice. We'll let you know with a newer announcement > when it is finished. > > the Gentoo Infrastructure team Finished, everything seems fine again. Please let us know if you notice any weird behavior
Re: [gentoo-dev] Kernel compiles and you
On Wed, 4 Jul 2012 20:06:58 +0200 Tobias Klausmann wrote: > Hi! > > On Wed, 04 Jul 2012, Michał Górny wrote: > > There's a very simple yet custom solution I'm using. Shortly saying: > > checkout the kernel git to /usr/src/linux and chown to your user. As > > far as it goes, it's superior to having kernel sources installed by > > ebuilds. > > > > I just have to remember to do 'git fetch' from time to time and 'git > > merge' whenever a new version is tagged. > > It is also beyond the package manager's control. That means users > who want to just configure their kernel (and run point releases > otherwise) have to actively check for new tags/versions. True. I think that's the direction I should look into improving. > Aside from that the git tree is not exactly lightweight: my > current 2.6 checkout weighs in at 1.4G whereas the unpacked tar > is 512M. Well, that's the other problem. On the other hand, you usually have to have that 1G free anyway unless you intend to manually unmerge the previous *-sources before installing the new one. And the time needed to do that... git is so much faster. -- Best regards, Michał Górny signature.asc Description: PGP signature
Re: [gentoo-dev] Liblo 0.26 wrong ebuild license
On 07/02/2012 11:51 AM, Natanael Olaiz wrote: It is LGPL, not GPL. diff -aru liblo_original/liblo-0.26.ebuild liblo/liblo-0.26.ebuild --- liblo_original/liblo-0.26.ebuild2011-09-12 20:38:28.0 +0200 +++ liblo/liblo-0.26.ebuild 2012-07-02 10:43:29.0 +0200 @@ -8,7 +8,7 @@ HOMEPAGE="http://plugin.org.uk/liblo"; SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz" -LICENSE="GPL-2" +LICENSE="LGPL-2.1" SLOT="0" KEYWORDS="amd64 ppc ppc64 x86 ~ppc-macos" IUSE="doc ipv6 static-libs" Best regards, Natanael. Bugs should be reported to http://bugs.gentoo.org/ instead of here. Seriously. With that said, liblo is now fixed.
Re: [gentoo-dev] Kernel compiles and you
Michael Weber wrote: > I think running kernels from non-root checkouts is a pretty big > security hole. Suggest think again. The Linux kernel should not and really must not be built as root. This is neither supported nor recommended nor tested by upstream. You may recall there was a kernel build system bug which ran -rf / which would be bad if you built as root. The administrator usually has a normal user account somewhere. Use that to build. -sources ebuilds installing 755 root:root to /usr/src/linux is fine, but best avoid building in-tree in that case. //Peter
[gentoo-dev] Short bugzilla outage today between 2100-2200 UTC
All, bugs.gentoo.org will be down for 30 minutes sometime between 2100 and 2200 UTC. We are migrating the database replication to newer and faster boxes. Apologies for the short notice. We'll let you know with a newer announcement when it is finished. the Gentoo Infrastructure team signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] Kernel compiles and you
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/04/2012 08:56 PM, William Hubbs wrote: > On Wed, Jul 04, 2012 at 02:20:36PM -0400, Rick "Zero_Chaos" Farina > wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 07/04/2012 01:58 PM, Michał Górny wrote: >> We could allow writes in the directories but not to the kernel >> source files themselves... that seems moderately sane even as the >> source files don't need to be written to be compiled, only the >> dir's need write permissions... > > Actually the directories do not need write permissions either. Take > a look at the O= option documented in /usr/src/linux/README. > > William > Um, well, users can then write the the compiled files (.o in the tree). You can also set `chmod -R g+w /` and gave everyone full access. I think running kernels from non-root checkouts is a pretty big security hole. Michael - -- Gentoo Dev http://xmw.de/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk/0lFQACgkQknrdDGLu8JD3AwD8CWdFJemXSh4O4xS94AXfo1Bw 6XwIhGspPvP/EGI/+7cBAI486fBSopMQxB/IaFyDnwVxriLZxOan5SrqMJXWa8b5 =+ocR -END PGP SIGNATURE-
Re: [gentoo-dev] Kernel compiles and you
On Wed, Jul 04, 2012 at 02:20:36PM -0400, Rick "Zero_Chaos" Farina wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 07/04/2012 01:58 PM, Michał Górny wrote: > > On Wed, 4 Jul 2012 19:46:47 +0200 > > Tobias Klausmann wrote: > > > >> Recently, I have again bumped into the question whether one > >> should compile the kernel as root. One of the things that puzzles > >> me is why almost every HowTo, blog post and book recommends > >> building as non-root -- yet basically no distribution /helps/ the > >> user with doing that. > >> > >> I've discussed this with a few people on #gentoo-dev and they've > >> provided valuable insight (thanks AxS, Chainsaw and WilliamH), so > >> I have gathered the results so far here: > >> > >> http://blog.i-no.de/archives/2012/07/index.html#e2012-07-04T19_28_32.txt > >> > >> Feel free to comment (ideally here). Note that I'm aiming for a > >> solution that is not (overly) Gentoo-specific. > > > > There's a very simple yet custom solution I'm using. Shortly saying: > > checkout the kernel git to /usr/src/linux and chown to your user. As > > far as it goes, it's superior to having kernel sources installed by > > ebuilds. > > > > I just have to remember to do 'git fetch' from time to time and 'git > > merge' whenever a new version is tagged. > > > > Honestly I'm not certain if there is an easy way to do this > > Obvious easy way, make the ebuilds install the kernel sources and chown > root.users then chmod g+w. Of course, after this any user could trojan > the kernel... There is no need to chown or chmod anything. /usr/src/linux* is always world readable. > We could allow writes in the directories but not to the kernel source > files themselves... that seems moderately sane even as the source files > don't need to be written to be compiled, only the dir's need write > permissions... Actually the directories do not need write permissions either. Take a look at the O= option documented in /usr/src/linux/README. William pgpd90SjW3nS8.pgp Description: PGP signature
Re: [gentoo-dev] Kernel compiles and you
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/04/2012 01:58 PM, Michał Górny wrote: > On Wed, 4 Jul 2012 19:46:47 +0200 > Tobias Klausmann wrote: > >> Recently, I have again bumped into the question whether one >> should compile the kernel as root. One of the things that puzzles >> me is why almost every HowTo, blog post and book recommends >> building as non-root -- yet basically no distribution /helps/ the >> user with doing that. >> >> I've discussed this with a few people on #gentoo-dev and they've >> provided valuable insight (thanks AxS, Chainsaw and WilliamH), so >> I have gathered the results so far here: >> >> http://blog.i-no.de/archives/2012/07/index.html#e2012-07-04T19_28_32.txt >> >> Feel free to comment (ideally here). Note that I'm aiming for a >> solution that is not (overly) Gentoo-specific. > > There's a very simple yet custom solution I'm using. Shortly saying: > checkout the kernel git to /usr/src/linux and chown to your user. As > far as it goes, it's superior to having kernel sources installed by > ebuilds. > > I just have to remember to do 'git fetch' from time to time and 'git > merge' whenever a new version is tagged. > Honestly I'm not certain if there is an easy way to do this Obvious easy way, make the ebuilds install the kernel sources and chown root.users then chmod g+w. Of course, after this any user could trojan the kernel... We could allow writes in the directories but not to the kernel source files themselves... that seems moderately sane even as the source files don't need to be written to be compiled, only the dir's need write permissions... Thoughts? - -Zero -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP9IlzAAoJEKXdFCfdEflK2r0P/1vM8la8nR6ZmZ4jkvMwSTnL pEdbHKtYB3BbwBySpGPDWslxZ+CGAAlpsTTXDKhSnIB73IKZL1zzWylD7VVrIt/s ezpB2LDnZx2uae46CBMYh7fIzt3d4/so4Yprfpx45H89lcoTkfKai3xVkb2T/cQC uP8XmeM0CO5wcwOEJD1FADmkThkOa1tunphr+jWZ3S09hJ9UZ/Zbk+zZr7+XTHG8 xJui8G6cdOsLOXdcQALIJzGDvUID++hJ4LVMr+JIGwfvrjQkwrGikB8WMH61Ftcs Qvc1cidsTQEw4UZeGtYBy8BELpJaH00PTtoupCcOxq7luIz6F4QYQm8X2nIBliHX rpnwll08tbAZl5Dt1XsndHWiEevn8VWUIQrJSeeV/McayCjTUJAV9gcbksKASS6V XXaJfUpeinUbOzjTIXscBOyd5HM60lU0IdprvczXop/q8nOUovQt04u69J3v6Fkc W9Z8mugrRLTGr5XP6pMpfeLGzrmMYNRzPVx6eZb3a2+b/vi1gS0KlDeMbaed7CPI BIBZbrn7rUWjnOv8bifcJZ6FIRhTpqG4azcLrb9RXyR7OxO+1rA82uc1+GLMhBHI YYFVWUijIIE8lgcremmEYSqHpyGUWUNYBz7M+7MHA9I1hG7VMvbuPpnlXPZxuvqI 5nyGGNnZtPtf1Pc+csKC =8V1a -END PGP SIGNATURE-
Re: [gentoo-dev] Kernel compiles and you
Hi! On Wed, 04 Jul 2012, Michał Górny wrote: > There's a very simple yet custom solution I'm using. Shortly saying: > checkout the kernel git to /usr/src/linux and chown to your user. As > far as it goes, it's superior to having kernel sources installed by > ebuilds. > > I just have to remember to do 'git fetch' from time to time and 'git > merge' whenever a new version is tagged. It is also beyond the package manager's control. That means users who want to just configure their kernel (and run point releases otherwise) have to actively check for new tags/versions. Aside from that the git tree is not exactly lightweight: my current 2.6 checkout weighs in at 1.4G whereas the unpacked tar is 512M. I'll amend the blog post, though. Regards, Tobias -- Sent from aboard the Culture ship GSV Just Read The Instructions
Re: [gentoo-dev] Kernel compiles and you
On Wed, 4 Jul 2012 19:46:47 +0200 Tobias Klausmann wrote: > Recently, I have again bumped into the question whether one > should compile the kernel as root. One of the things that puzzles > me is why almost every HowTo, blog post and book recommends > building as non-root -- yet basically no distribution /helps/ the > user with doing that. > > I've discussed this with a few people on #gentoo-dev and they've > provided valuable insight (thanks AxS, Chainsaw and WilliamH), so > I have gathered the results so far here: > > http://blog.i-no.de/archives/2012/07/index.html#e2012-07-04T19_28_32.txt > > Feel free to comment (ideally here). Note that I'm aiming for a > solution that is not (overly) Gentoo-specific. There's a very simple yet custom solution I'm using. Shortly saying: checkout the kernel git to /usr/src/linux and chown to your user. As far as it goes, it's superior to having kernel sources installed by ebuilds. I just have to remember to do 'git fetch' from time to time and 'git merge' whenever a new version is tagged. -- Best regards, Michał Górny signature.asc Description: PGP signature
[gentoo-dev] Kernel compiles and you
Hi! Recently, I have again bumped into the question whether one should compile the kernel as root. One of the things that puzzles me is why almost every HowTo, blog post and book recommends building as non-root -- yet basically no distribution /helps/ the user with doing that. I've discussed this with a few people on #gentoo-dev and they've provided valuable insight (thanks AxS, Chainsaw and WilliamH), so I have gathered the results so far here: http://blog.i-no.de/archives/2012/07/index.html#e2012-07-04T19_28_32.txt Feel free to comment (ideally here). Note that I'm aiming for a solution that is not (overly) Gentoo-specific. Thanks, Tobias (aka Blackb|rd on Freenode) -- Sent from aboard the Culture ship GSV Just Read The Instructions
Re: [gentoo-dev] Re: GLEP draf for cross-compile support in multilib profiles
On 07/01/2012 01:41 PM, Thomas Sachau wrote: > I guess, you are mixing cross-compile support in multilib profiles and > cross-compile support with cross-toolchains, multilib-portage is for the > first one, while crossdev is for the second one. > > My suggestion does not support e.g. compiling for ppc with an amd64 > profile, on amd64 it only can support x86 and x32. Since all of these > binaries can run with an amd64 kernel and you build for at least one > target, you always have a binary around, no need for an extra HOST > dependency. You can run an arm binary on amd64 (through binfmt+qemu-user static) > I dont know, what exactly you mean with "play properly with ld" and > "cross-vs-host paths", so cannot respond to those. multilib works because the runtime linker picked is the right one for each ABI, thanks to qemu makes no difference if that ABI is native or not. cross vs host paths is an annoying problem due the slightly different behaviour between native and cross compiler toolchains, it tends to ignore environment variables and other small differences making dropping an native cross compiler in a qemu chroot, QUITE a creative activity. lu -- Luca Barbato Gentoo/linux http://dev.gentoo.org/~lu_zero
Re: [gentoo-dev] New Manifest Hashes
The change has been made. Please remember to cvs up metadata/layout.conf and update portage (if necessary) before committing. Thanks