Re: [gentoo-dev] Re: splitting one source package into many binaries

[Donnie Berkholz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Duncan wrote:
> The 6.8.99 snapshot ebuilds
> (hard masked for testing) are the CVS development snapshots of this in
> portage, still unsplit, as it hasn't yet been split upstream, AFAIK.

The splitting is underway. Most of the protocol headers and libraries
are working, and the server itself is underway.

Thanks,
Donnie
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCt6oBXVaO67S1rtsRAqkbAJ0aav6kr7nqW0OTmDQvUyy/h02sVQCg4zTD
LM7kUlyz4jOD4k4e5sMrZPI=
=PiTY
-END PGP SIGNATURE-
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Re: splitting one source package into many binaries

[Chris Gianelloni]

On Fri, 2005-06-17 at 01:21 -0700, Duncan wrote:
> The client/server thing is a concern for me here, as well, for security
> reasons.  If I don't have an SSH server merged, it can't inadvertently
> be turned on somehow.  SSH is apparently a dependency for something I have
> merged, and currently, it includes the SSH server.  That worries me, as
> it's a server component on a normally client system, and is thus a
> potential security vuln.  IMO, having it there when it's not used and the
> human behind the machine has no intention of running it, is just /asking/
> for security issues.  It shouldn't be there in the first place. 
> Unfortunately, there's no USE flag to turn it off.

There is zero security risk unless you, as root, start the server.

> Similarly with a couple of the DHCP packages I was looking at a few weeks
> ago.  I normally run static IPs on a LAN behind a NAPT based router,
> giving me a /bit/ more leeway in terms of security on my Linux box, but
> decided to install some form of DHCP just in case.  Several of those
> packages have both clients and servers, with apparently no way to only
> install the client, short of hacking the ebuild.  IMO, that's not the way
> it should be.  Gentoo isn't supposed to work that way, and PARTICULARLY in
> this sort of instance, where getting mixed up in your configuration may
> mean you start the server instead of the client, is a security risk that
> simply shouldn't have to be there in the first place.

I think you have the wrong assumption here on how Gentoo is "supposed to
work".  Gentoo ships packages as close to how upstream packages them as
possible.  If you have a problem with the daemon being shipped with the
client, then complain upstream.  We have always provided the package as
determined by upstream.  Splitting packages is a waste of developer time
and also makes things much more complex dependency-wise.

If you do not want the binary for the server installed, then edit the
ebuild yourself, remove the binary, or use INSTALL_MASK.  It isn't like
we have not provided methods for you to do this yourself.  You cannot
expect us to provide for every possible scenario and still get anything
accomplished.

-- 
Chris Gianelloni
Release Engineering - Strategic Lead/QA Manager
Games - Developer
Gentoo Linux


signature.asc
Description: This is a digitally signed message part

Re: [gentoo-dev] Re: splitting one source package into many binaries

[Jon Portnoy]

On Fri, Jun 17, 2005 at 01:21:22AM -0700, Duncan wrote:
> reasons.  If I don't have an SSH server merged, it can't inadvertently
> be turned on somehow.  SSH is apparently a dependency for something I have

I'm all in favor of server vs. client flexibility but this 
example is kinda bogus. Assuming you don't turn it on I'd have to say the only 
way it'd get turned on is if your system is already compromised

-- 
Jon Portnoy
avenj/irc.freenode.net
-- 
gentoo-dev@gentoo.org mailing list