Re: [gentoo-dev] [PATCH] 2022-12-28-hardening-fortify-assertions: add item
> On 28 Dec 2022, at 19:34, Sam James wrote: > > Bug: https://bugs.gentoo.org/876893 > Bug: https://bugs.gentoo.org/876895 > Signed-off-by: Sam James > --- FYI: The changes for this haven't landed in ::gentoo yet. We're likely to wait until the next GCC 12 snapshot on the weekend. There's also a chance we delay this further depending on what the outcome of a PPC + GCC 12 issue is that we're looking into, but it's unrelated to this news item other than involving GCC 12. signature.asc Description: Message signed with OpenPGP
Re: [gentoo-dev] Packages up for grabs: apache-2.eclass
On 2022-12-26 10:11:18, Hans de Graaff wrote: > > It would be great if you could dust these off and post them here so we > can get these improvements merged. You mention in the bug that you'd > rather wait for a dedicated maintainer to review them, but I'm (in > name) that maintainer and I think you probably know these eclasses > better than I do. With some joint effort we may get things moving here. I'm trying to avoid becoming the de facto maintainer of the thirty or so apache modules that I care nothing about. The eclasses I posted to the bug are a proof-of-concept for www-apache/mpm_itk, but even that has a workaround allowing it to use EAPI=7 now. I haven't tested them with any other packages. Updating apache-module-r1.eclass to EAPI=8 still requires some work, and then the whole thing needs to be tested by migrating a representative chunk of apache-module packages to determine if the idea is feasible as-is, or if the approach needs to be tweaked. Until then we'd just be wasting reviewers' time. I may eventually get bored enough to do all that testing, but right now I have a lot of things that are actually enjoyable and/or make me money in front of it on my list.
[gentoo-dev] [PATCH] 2022-12-28-hardening-fortify-assertions: add item
Bug: https://bugs.gentoo.org/876893 Bug: https://bugs.gentoo.org/876895 Signed-off-by: Sam James --- ...-12-28-hardening-fortify-assertions.en.txt | 57 +++ 1 file changed, 57 insertions(+) create mode 100644 2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt diff --git a/2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt b/2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt new file mode 100644 index 000..b339828 --- /dev/null +++ b/2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt @@ -0,0 +1,57 @@ +Title: Hardened profiles improvements +Author: Sam James +Posted: 2022-12-27 +Revision: 1 +News-Item-Format: 2.0 +Display-If-Profile: features/hardened +Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened +Display-If-Profile: default/linux/ppc/17.0/musl/hardened +Display-If-Profile: default/linux/amd64/17.0/no-multilib/hardened +Display-If-Profile: default/linux/amd64/17.0/hardened +Display-If-Profile: default/linux/amd64/17.0/musl/hardened +Display-If-Profile: default/linux/amd64/17.1/hardened +Display-If-Profile: default/linux/amd64/17.1/no-multilib/hardened +Display-If-Profile: default/linux/x86/17.0/hardened +Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened +Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened +Display-If-Profile: default/linux/arm/17.0/armv7a/hardened +Display-If-Profile: default/linux/arm/17.0/armv6j/hardened +Display-If-Profile: default/linux/ppc64/17.0/musl/hardened +Display-If-Profile: default/linux/arm64/17.0/hardened +Display-If-Profile: default/linux/arm64/17.0/musl/hardened + +Gentoo's hardened profiles are adopting two new modern toolchain hardening +techniques: +1. Level 3 fortification (-D_FORTIFY_SOURCE=3) [0] +2. libstdc++ assertions (-D_GLIBCXX_ASSERTIONS) [1] + +These will both be enabled by default with USE=hardened on sys-devel/gcc +for >=sys-devel/gcc-12.2.1_p20221224-r1. + +To view the existing list of hardening changes applied by the profiles, +see the wiki [2]. + +Stable users may wish to add sys-devel/gcc-12.2.1_p20221224-r1 into +/etc/portage/package.accept_keywords if they wish to take advantage +of these improvements early, before GCC 12 is marked stable. + +## Migration + +To fully take advantage of these new settings, GCC must first +be upgraded, and then all packages must be re-emerged: +1. emerge --sync +2. emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221224-r1" +3. emerge --verbose --emptytree @world + +## Troubleshooting + +In the event that some packages fail at runtime, please file a bug +with the full details. To temporarily workaround the problem, +it should be possible to recompile broken packages with the +following *FLAGS: +CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2" +CXXFLAGS="${CXXFLAGS} -D_FORTIFY_SOURCE=2 -U_GLIBCXX_ASSERTIONS" + +[0] https://bugs.gentoo.org/876893 +[1] https://bugs.gentoo.org/876895 +[2] https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes -- 2.39.0
Re: [gentoo-dev] [PATCH] profiles/base: add app-alternatives/{awk,bzip2,gzip,sh,tar} to @system
> On 28 Dec 2022, at 18:52, Sam James wrote: > > > >> On 28 Dec 2022, at 16:27, Sam James wrote: >> >> >> >>> On 28 Dec 2022, at 16:04, Sam James wrote: >>> >>> - Before this commit, nothing pulls in app-alternatives/sh, so we're >>> relying on >>> app-shells/bash handling /bin/sh as an orphaned symlink (which is one of >>> the big >>> things we're trying to move away from). >>> >>> - Add in the others (app-alternatives/{awk,bzip2,gzip,tar}) to allow setup >>> via /etc/portage/package.use without adding these to @world manually, >>> this also lays the ground work for at some point removing specific >>> implementations >>> in the future (after making sure ebuilds which need specific impls. depend >>> on them). >>> >>> - Note that there's two exceptions: >>> 1. app-alternaitves/yacc >>> >>> No need to explicitly add into @system, because we previously had >>> virtual/yacc >>> so it'll get pulled in by ebuild dependencies anyway. >>> >>> 2. app-alternatives/lex >>> >>> We never had virtual/lex before and packages very often explicitly >>> depend on sys-devel/flex. But this isn't a big deal given it's very >>> unlikely >>> that a user wants to try modify lex yet and reflex is still very new as an >>> option in Gentoo. >>> >>> That is, as time goes on and we test more to ensure it works with any lex, >>> it'll get pulled in as various ebuilds get updated anyway. >>> >>> Bug: https://bugs.gentoo.org/886017 >>> Bug: https://bugs.gentoo.org/886247 >>> Signed-off-by: Sam James >>> --- >>> profiles/base/packages | 9 ++--- >>> 1 file changed, 6 insertions(+), 3 deletions(-) >>> >> >> FWIW, I'd like to push this today to avoid users having to deal >> with the migration "twice" if they have eselect-sh installed, >> given app-alternatives/* got stabled yesterday/early today. > > After discussion in #gentoo-pms, I'm going to push this > with only the +s (i.e. keep gzip + bzip2 in @system for now), > as PMS at least for gzip is clear it wants GNU gzip available, > and it says "bzip2" must be as well. > > I'd like to revisit this another time and see about changing that > if appropriate, but that's tangential to the reason I'm trying to do > this quickly (minimising impact for users). > > I'll open a bug so we don't forget to do that revisiting. > https://bugs.gentoo.org/888777 signature.asc Description: Message signed with OpenPGP
[gentoo-dev] [PATCH 1/1] kernel-2.eclass: Don't drop CPU OPT patch when CC=clang
Clang is supported by the CPU optimization patch. (USE=experimental) Check for CC=clang and do not drop this patch. Bug: https://bugs.gentoo.org/888727 Signed-off-by: Mike Pagano --- eclass/kernel-2.eclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eclass/kernel-2.eclass b/eclass/kernel-2.eclass index e13ed1a4f..873d4a204 100644 --- a/eclass/kernel-2.eclass +++ b/eclass/kernel-2.eclass @@ -1144,7 +1144,7 @@ unipatch() { UNIPATCH_DROP+=" 5011_enable-cpu-optimizations-for-gcc8.patch" UNIPATCH_DROP+=" 5012_enable-cpu-optimizations-for-gcc91.patch" UNIPATCH_DROP+=" 5013_enable-cpu-optimizations-for-gcc10.patch" - if [[ ${GCC_MAJOR_VER} -lt 9 ]]; then + if [[ ${GCC_MAJOR_VER} -lt 9 ]] && ! tc-is-clang; then UNIPATCH_DROP+=" 5010_enable-cpu-optimizations-universal.patch" fi # this legacy section should be targeted for removal -- 2.38.2 -- Mike Pagano Gentoo Developer - Kernel Project E-Mail : mpag...@gentoo.org GnuPG FP : 52CC A0B0 F631 0B17 0142 F83F 92A6 DBEC 81F2 B137 Public Key : http://pgp.mit.edu/pks/lookup?search=0x92A6DBEC81F2B137=index OpenPGP_0x92A6DBEC81F2B137.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: [gentoo-dev] [PATCH] profiles/base: add app-alternatives/{awk,bzip2,gzip,sh,tar} to @system
> On 28 Dec 2022, at 16:27, Sam James wrote: > > > >> On 28 Dec 2022, at 16:04, Sam James wrote: >> >> - Before this commit, nothing pulls in app-alternatives/sh, so we're relying >> on >> app-shells/bash handling /bin/sh as an orphaned symlink (which is one of the >> big >> things we're trying to move away from). >> >> - Add in the others (app-alternatives/{awk,bzip2,gzip,tar}) to allow setup >> via /etc/portage/package.use without adding these to @world manually, >> this also lays the ground work for at some point removing specific >> implementations >> in the future (after making sure ebuilds which need specific impls. depend >> on them). >> >> - Note that there's two exceptions: >> 1. app-alternaitves/yacc >> >>No need to explicitly add into @system, because we previously had >> virtual/yacc >>so it'll get pulled in by ebuild dependencies anyway. >> >> 2. app-alternatives/lex >> >>We never had virtual/lex before and packages very often explicitly >>depend on sys-devel/flex. But this isn't a big deal given it's very >> unlikely >>that a user wants to try modify lex yet and reflex is still very new as an >>option in Gentoo. >> >>That is, as time goes on and we test more to ensure it works with any lex, >>it'll get pulled in as various ebuilds get updated anyway. >> >> Bug: https://bugs.gentoo.org/886017 >> Bug: https://bugs.gentoo.org/886247 >> Signed-off-by: Sam James >> --- >> profiles/base/packages | 9 ++--- >> 1 file changed, 6 insertions(+), 3 deletions(-) >> > > FWIW, I'd like to push this today to avoid users having to deal > with the migration "twice" if they have eselect-sh installed, > given app-alternatives/* got stabled yesterday/early today. After discussion in #gentoo-pms, I'm going to push this with only the +s (i.e. keep gzip + bzip2 in @system for now), as PMS at least for gzip is clear it wants GNU gzip available, and it says "bzip2" must be as well. I'd like to revisit this another time and see about changing that if appropriate, but that's tangential to the reason I'm trying to do this quickly (minimising impact for users). I'll open a bug so we don't forget to do that revisiting. signature.asc Description: Message signed with OpenPGP
Re: [gentoo-dev] [PATCH] profiles/base: add app-alternatives/{awk,bzip2,gzip,sh,tar} to @system
> On 28 Dec 2022, at 16:04, Sam James wrote: > > - Before this commit, nothing pulls in app-alternatives/sh, so we're relying > on > app-shells/bash handling /bin/sh as an orphaned symlink (which is one of the > big > things we're trying to move away from). > > - Add in the others (app-alternatives/{awk,bzip2,gzip,tar}) to allow setup > via /etc/portage/package.use without adding these to @world manually, > this also lays the ground work for at some point removing specific > implementations > in the future (after making sure ebuilds which need specific impls. depend > on them). > > - Note that there's two exceptions: > 1. app-alternaitves/yacc > > No need to explicitly add into @system, because we previously had > virtual/yacc > so it'll get pulled in by ebuild dependencies anyway. > > 2. app-alternatives/lex > > We never had virtual/lex before and packages very often explicitly > depend on sys-devel/flex. But this isn't a big deal given it's very > unlikely > that a user wants to try modify lex yet and reflex is still very new as an > option in Gentoo. > > That is, as time goes on and we test more to ensure it works with any lex, > it'll get pulled in as various ebuilds get updated anyway. > > Bug: https://bugs.gentoo.org/886017 > Bug: https://bugs.gentoo.org/886247 > Signed-off-by: Sam James > --- > profiles/base/packages | 9 ++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > FWIW, I'd like to push this today to avoid users having to deal with the migration "twice" if they have eselect-sh installed, given app-alternatives/* got stabled yesterday/early today. signature.asc Description: Message signed with OpenPGP
[gentoo-dev] [PATCH] profiles/base: add app-alternatives/{awk,bzip2,gzip,sh,tar} to @system
- Before this commit, nothing pulls in app-alternatives/sh, so we're relying on app-shells/bash handling /bin/sh as an orphaned symlink (which is one of the big things we're trying to move away from). - Add in the others (app-alternatives/{awk,bzip2,gzip,tar}) to allow setup via /etc/portage/package.use without adding these to @world manually, this also lays the ground work for at some point removing specific implementations in the future (after making sure ebuilds which need specific impls. depend on them). - Note that there's two exceptions: 1. app-alternaitves/yacc No need to explicitly add into @system, because we previously had virtual/yacc so it'll get pulled in by ebuild dependencies anyway. 2. app-alternatives/lex We never had virtual/lex before and packages very often explicitly depend on sys-devel/flex. But this isn't a big deal given it's very unlikely that a user wants to try modify lex yet and reflex is still very new as an option in Gentoo. That is, as time goes on and we test more to ensure it works with any lex, it'll get pulled in as various ebuilds get updated anyway. Bug: https://bugs.gentoo.org/886017 Bug: https://bugs.gentoo.org/886247 Signed-off-by: Sam James --- profiles/base/packages | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/profiles/base/packages b/profiles/base/packages index e0cee163af993..533a67c70e05c 100644 --- a/profiles/base/packages +++ b/profiles/base/packages @@ -1,4 +1,4 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License, v2 # Gentoo Base Profile @@ -24,9 +24,12 @@ # of the minimum set of packages needed for any Gentoo based system. *>=sys-apps/baselayout-2 +*app-alternatives/awk +*app-alternatives/bzip2 +*app-alternatives/gzip +*app-alternatives/sh +*app-alternatives/tar *app-admin/eselect -*app-arch/bzip2 -*app-arch/gzip *app-arch/tar *app-arch/xz-utils *app-shells/bash:0 -- 2.39.0