Re: [gentoo-dev] [PATCH] 2022-12-28-hardening-fortify-assertions: add item
> On 28 Dec 2022, at 19:34, Sam James wrote: > > Bug: https://bugs.gentoo.org/876893 > Bug: https://bugs.gentoo.org/876895 > Signed-off-by: Sam James > --- FYI: The changes for this haven't landed in ::gentoo yet. We're likely to wait until the next GCC 12 snapshot on the weekend. There's also a chance we delay this further depending on what the outcome of a PPC + GCC 12 issue is that we're looking into, but it's unrelated to this news item other than involving GCC 12. signature.asc Description: Message signed with OpenPGP
Re: [gentoo-dev] Packages up for grabs: apache-2.eclass
On 2022-12-26 10:11:18, Hans de Graaff wrote: > > It would be great if you could dust these off and post them here so we > can get these improvements merged. You mention in the bug that you'd > rather wait for a dedicated maintainer to review them, but I'm (in > name) that maintainer and I think you probably know these eclasses > better than I do. With some joint effort we may get things moving here. I'm trying to avoid becoming the de facto maintainer of the thirty or so apache modules that I care nothing about. The eclasses I posted to the bug are a proof-of-concept for www-apache/mpm_itk, but even that has a workaround allowing it to use EAPI=7 now. I haven't tested them with any other packages. Updating apache-module-r1.eclass to EAPI=8 still requires some work, and then the whole thing needs to be tested by migrating a representative chunk of apache-module packages to determine if the idea is feasible as-is, or if the approach needs to be tweaked. Until then we'd just be wasting reviewers' time. I may eventually get bored enough to do all that testing, but right now I have a lot of things that are actually enjoyable and/or make me money in front of it on my list.
[gentoo-dev] [PATCH] 2022-12-28-hardening-fortify-assertions: add item
Bug: https://bugs.gentoo.org/876893
Bug: https://bugs.gentoo.org/876895
Signed-off-by: Sam James
---
...-12-28-hardening-fortify-assertions.en.txt | 57 +++
1 file changed, 57 insertions(+)
create mode 100644
2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt
diff --git
a/2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt
b/2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt
new file mode 100644
index 000..b339828
--- /dev/null
+++
b/2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt
@@ -0,0 +1,57 @@
+Title: Hardened profiles improvements
+Author: Sam James
+Posted: 2022-12-27
+Revision: 1
+News-Item-Format: 2.0
+Display-If-Profile: features/hardened
+Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened
+Display-If-Profile: default/linux/ppc/17.0/musl/hardened
+Display-If-Profile: default/linux/amd64/17.0/no-multilib/hardened
+Display-If-Profile: default/linux/amd64/17.0/hardened
+Display-If-Profile: default/linux/amd64/17.0/musl/hardened
+Display-If-Profile: default/linux/amd64/17.1/hardened
+Display-If-Profile: default/linux/amd64/17.1/no-multilib/hardened
+Display-If-Profile: default/linux/x86/17.0/hardened
+Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened
+Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened
+Display-If-Profile: default/linux/arm/17.0/armv7a/hardened
+Display-If-Profile: default/linux/arm/17.0/armv6j/hardened
+Display-If-Profile: default/linux/ppc64/17.0/musl/hardened
+Display-If-Profile: default/linux/arm64/17.0/hardened
+Display-If-Profile: default/linux/arm64/17.0/musl/hardened
+
+Gentoo's hardened profiles are adopting two new modern toolchain hardening
+techniques:
+1. Level 3 fortification (-D_FORTIFY_SOURCE=3) [0]
+2. libstdc++ assertions (-D_GLIBCXX_ASSERTIONS) [1]
+
+These will both be enabled by default with USE=hardened on sys-devel/gcc
+for >=sys-devel/gcc-12.2.1_p20221224-r1.
+
+To view the existing list of hardening changes applied by the profiles,
+see the wiki [2].
+
+Stable users may wish to add sys-devel/gcc-12.2.1_p20221224-r1 into
+/etc/portage/package.accept_keywords if they wish to take advantage
+of these improvements early, before GCC 12 is marked stable.
+
+## Migration
+
+To fully take advantage of these new settings, GCC must first
+be upgraded, and then all packages must be re-emerged:
+1. emerge --sync
+2. emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221224-r1"
+3. emerge --verbose --emptytree @world
+
+## Troubleshooting
+
+In the event that some packages fail at runtime, please file a bug
+with the full details. To temporarily workaround the problem,
+it should be possible to recompile broken packages with the
+following *FLAGS:
+CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2"
+CXXFLAGS="${CXXFLAGS} -D_FORTIFY_SOURCE=2 -U_GLIBCXX_ASSERTIONS"
+
+[0] https://bugs.gentoo.org/876893
+[1] https://bugs.gentoo.org/876895
+[2] https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes
--
2.39.0
Re: [gentoo-dev] [PATCH] profiles/base: add app-alternatives/{awk,bzip2,gzip,sh,tar} to @system
> On 28 Dec 2022, at 18:52, Sam James wrote:
>
>
>
>> On 28 Dec 2022, at 16:27, Sam James wrote:
>>
>>
>>
>>> On 28 Dec 2022, at 16:04, Sam James wrote:
>>>
>>> - Before this commit, nothing pulls in app-alternatives/sh, so we're
>>> relying on
>>> app-shells/bash handling /bin/sh as an orphaned symlink (which is one of
>>> the big
>>> things we're trying to move away from).
>>>
>>> - Add in the others (app-alternatives/{awk,bzip2,gzip,tar}) to allow setup
>>> via /etc/portage/package.use without adding these to @world manually,
>>> this also lays the ground work for at some point removing specific
>>> implementations
>>> in the future (after making sure ebuilds which need specific impls. depend
>>> on them).
>>>
>>> - Note that there's two exceptions:
>>> 1. app-alternaitves/yacc
>>>
>>> No need to explicitly add into @system, because we previously had
>>> virtual/yacc
>>> so it'll get pulled in by ebuild dependencies anyway.
>>>
>>> 2. app-alternatives/lex
>>>
>>> We never had virtual/lex before and packages very often explicitly
>>> depend on sys-devel/flex. But this isn't a big deal given it's very
>>> unlikely
>>> that a user wants to try modify lex yet and reflex is still very new as an
>>> option in Gentoo.
>>>
>>> That is, as time goes on and we test more to ensure it works with any lex,
>>> it'll get pulled in as various ebuilds get updated anyway.
>>>
>>> Bug: https://bugs.gentoo.org/886017
>>> Bug: https://bugs.gentoo.org/886247
>>> Signed-off-by: Sam James
>>> ---
>>> profiles/base/packages | 9 ++---
>>> 1 file changed, 6 insertions(+), 3 deletions(-)
>>>
>>
>> FWIW, I'd like to push this today to avoid users having to deal
>> with the migration "twice" if they have eselect-sh installed,
>> given app-alternatives/* got stabled yesterday/early today.
>
> After discussion in #gentoo-pms, I'm going to push this
> with only the +s (i.e. keep gzip + bzip2 in @system for now),
> as PMS at least for gzip is clear it wants GNU gzip available,
> and it says "bzip2" must be as well.
>
> I'd like to revisit this another time and see about changing that
> if appropriate, but that's tangential to the reason I'm trying to do
> this quickly (minimising impact for users).
>
> I'll open a bug so we don't forget to do that revisiting.
>
https://bugs.gentoo.org/888777
signature.asc
Description: Message signed with OpenPGP
[gentoo-dev] [PATCH 1/1] kernel-2.eclass: Don't drop CPU OPT patch when CC=clang
Clang is supported by the CPU optimization patch. (USE=experimental)
Check for CC=clang and do not drop this patch.
Bug: https://bugs.gentoo.org/888727
Signed-off-by: Mike Pagano
---
eclass/kernel-2.eclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eclass/kernel-2.eclass b/eclass/kernel-2.eclass
index e13ed1a4f..873d4a204 100644
--- a/eclass/kernel-2.eclass
+++ b/eclass/kernel-2.eclass
@@ -1144,7 +1144,7 @@ unipatch() {
UNIPATCH_DROP+=" 5011_enable-cpu-optimizations-for-gcc8.patch"
UNIPATCH_DROP+=" 5012_enable-cpu-optimizations-for-gcc91.patch"
UNIPATCH_DROP+=" 5013_enable-cpu-optimizations-for-gcc10.patch"
- if [[ ${GCC_MAJOR_VER} -lt 9 ]]; then
+ if [[ ${GCC_MAJOR_VER} -lt 9 ]] && ! tc-is-clang; then
UNIPATCH_DROP+=" 5010_enable-cpu-optimizations-universal.patch"
fi
# this legacy section should be targeted for removal
--
2.38.2
--
Mike Pagano
Gentoo Developer - Kernel Project
E-Mail : mpag...@gentoo.org
GnuPG FP : 52CC A0B0 F631 0B17 0142 F83F 92A6 DBEC 81F2 B137
Public Key : http://pgp.mit.edu/pks/lookup?search=0x92A6DBEC81F2B137=index
OpenPGP_0x92A6DBEC81F2B137.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
Re: [gentoo-dev] [PATCH] profiles/base: add app-alternatives/{awk,bzip2,gzip,sh,tar} to @system
> On 28 Dec 2022, at 16:27, Sam James wrote:
>
>
>
>> On 28 Dec 2022, at 16:04, Sam James wrote:
>>
>> - Before this commit, nothing pulls in app-alternatives/sh, so we're relying
>> on
>> app-shells/bash handling /bin/sh as an orphaned symlink (which is one of the
>> big
>> things we're trying to move away from).
>>
>> - Add in the others (app-alternatives/{awk,bzip2,gzip,tar}) to allow setup
>> via /etc/portage/package.use without adding these to @world manually,
>> this also lays the ground work for at some point removing specific
>> implementations
>> in the future (after making sure ebuilds which need specific impls. depend
>> on them).
>>
>> - Note that there's two exceptions:
>> 1. app-alternaitves/yacc
>>
>>No need to explicitly add into @system, because we previously had
>> virtual/yacc
>>so it'll get pulled in by ebuild dependencies anyway.
>>
>> 2. app-alternatives/lex
>>
>>We never had virtual/lex before and packages very often explicitly
>>depend on sys-devel/flex. But this isn't a big deal given it's very
>> unlikely
>>that a user wants to try modify lex yet and reflex is still very new as an
>>option in Gentoo.
>>
>>That is, as time goes on and we test more to ensure it works with any lex,
>>it'll get pulled in as various ebuilds get updated anyway.
>>
>> Bug: https://bugs.gentoo.org/886017
>> Bug: https://bugs.gentoo.org/886247
>> Signed-off-by: Sam James
>> ---
>> profiles/base/packages | 9 ++---
>> 1 file changed, 6 insertions(+), 3 deletions(-)
>>
>
> FWIW, I'd like to push this today to avoid users having to deal
> with the migration "twice" if they have eselect-sh installed,
> given app-alternatives/* got stabled yesterday/early today.
After discussion in #gentoo-pms, I'm going to push this
with only the +s (i.e. keep gzip + bzip2 in @system for now),
as PMS at least for gzip is clear it wants GNU gzip available,
and it says "bzip2" must be as well.
I'd like to revisit this another time and see about changing that
if appropriate, but that's tangential to the reason I'm trying to do
this quickly (minimising impact for users).
I'll open a bug so we don't forget to do that revisiting.
signature.asc
Description: Message signed with OpenPGP
Re: [gentoo-dev] [PATCH] profiles/base: add app-alternatives/{awk,bzip2,gzip,sh,tar} to @system
> On 28 Dec 2022, at 16:04, Sam James wrote:
>
> - Before this commit, nothing pulls in app-alternatives/sh, so we're relying
> on
> app-shells/bash handling /bin/sh as an orphaned symlink (which is one of the
> big
> things we're trying to move away from).
>
> - Add in the others (app-alternatives/{awk,bzip2,gzip,tar}) to allow setup
> via /etc/portage/package.use without adding these to @world manually,
> this also lays the ground work for at some point removing specific
> implementations
> in the future (after making sure ebuilds which need specific impls. depend
> on them).
>
> - Note that there's two exceptions:
> 1. app-alternaitves/yacc
>
> No need to explicitly add into @system, because we previously had
> virtual/yacc
> so it'll get pulled in by ebuild dependencies anyway.
>
> 2. app-alternatives/lex
>
> We never had virtual/lex before and packages very often explicitly
> depend on sys-devel/flex. But this isn't a big deal given it's very
> unlikely
> that a user wants to try modify lex yet and reflex is still very new as an
> option in Gentoo.
>
> That is, as time goes on and we test more to ensure it works with any lex,
> it'll get pulled in as various ebuilds get updated anyway.
>
> Bug: https://bugs.gentoo.org/886017
> Bug: https://bugs.gentoo.org/886247
> Signed-off-by: Sam James
> ---
> profiles/base/packages | 9 ++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
FWIW, I'd like to push this today to avoid users having to deal
with the migration "twice" if they have eselect-sh installed,
given app-alternatives/* got stabled yesterday/early today.
signature.asc
Description: Message signed with OpenPGP
[gentoo-dev] [PATCH] profiles/base: add app-alternatives/{awk,bzip2,gzip,sh,tar} to @system
- Before this commit, nothing pulls in app-alternatives/sh, so we're relying on
app-shells/bash handling /bin/sh as an orphaned symlink (which is one of the
big
things we're trying to move away from).
- Add in the others (app-alternatives/{awk,bzip2,gzip,tar}) to allow setup
via /etc/portage/package.use without adding these to @world manually,
this also lays the ground work for at some point removing specific
implementations
in the future (after making sure ebuilds which need specific impls. depend on
them).
- Note that there's two exceptions:
1. app-alternaitves/yacc
No need to explicitly add into @system, because we previously had
virtual/yacc
so it'll get pulled in by ebuild dependencies anyway.
2. app-alternatives/lex
We never had virtual/lex before and packages very often explicitly
depend on sys-devel/flex. But this isn't a big deal given it's very
unlikely
that a user wants to try modify lex yet and reflex is still very new as an
option in Gentoo.
That is, as time goes on and we test more to ensure it works with any lex,
it'll get pulled in as various ebuilds get updated anyway.
Bug: https://bugs.gentoo.org/886017
Bug: https://bugs.gentoo.org/886247
Signed-off-by: Sam James
---
profiles/base/packages | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/profiles/base/packages b/profiles/base/packages
index e0cee163af993..533a67c70e05c 100644
--- a/profiles/base/packages
+++ b/profiles/base/packages
@@ -1,4 +1,4 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License, v2
# Gentoo Base Profile
@@ -24,9 +24,12 @@
# of the minimum set of packages needed for any Gentoo based system.
*>=sys-apps/baselayout-2
+*app-alternatives/awk
+*app-alternatives/bzip2
+*app-alternatives/gzip
+*app-alternatives/sh
+*app-alternatives/tar
*app-admin/eselect
-*app-arch/bzip2
-*app-arch/gzip
*app-arch/tar
*app-arch/xz-utils
*app-shells/bash:0
--
2.39.0
