Re: [gentoo-user] Firefox depends on rust??
On Thu, Jun 22, 2017 at 9:02 PM, Michael Orlitzkywrote: > On 06/22/2017 04:57 PM, R0b0t1 wrote: >>> >>> It would be against our ebuild policy if it does so. The sources for a >>> package should be listed in SRC_URI and are downloaded and verified by >>> your Gentoo package manager. After that, network access is forbidden. >>> >> >> You might be interested in this bug I submitted: >> https://bugs.gentoo.org/show_bug.cgi?id=537162. > > I commented on that bug over two years ago =) > > Don't use cabal-install to install packages. Stick to portage and you'll > be fine. > I tried to reference that in my post. I tried to install the packages that constitute the Haskell platform but cabal related utilities were still firing off on their own.
Re: [gentoo-user] Firefox depends on rust??
On 2017-06-22 11:31, Vadim A. Misbakh-Soloviovwrote: >> I just installed firefox-bin and did not feel any difference. >> >> I will try to compile firefox just for curiosity. > > Well. Only flags that can give you any difference is bindist (logos and so > on), > pgo (hard-way optimization), custom-*, and system-* ones. > > So, taking default "fx-bin" vs "fx" doesn't give you much difference. > > Although, I myself distrust any "*-bin" packages, and I'd never run them > outside of `firejail` with blacklisted access to anywhere on the filesystem. > > Although, I running even built-from-source firefox under firejail anyway (to > prevent java, js, drm and other crap to do anything on my system. even in > home > dir. Well, I finally compiled firefox and rust and used them. Just...keep it the Gentoo way ;)
Re: [gentoo-user] Firefox depends on rust??
On 06/22/2017 04:57 PM, R0b0t1 wrote: >> >> It would be against our ebuild policy if it does so. The sources for a >> package should be listed in SRC_URI and are downloaded and verified by >> your Gentoo package manager. After that, network access is forbidden. >> > > You might be interested in this bug I submitted: > https://bugs.gentoo.org/show_bug.cgi?id=537162. I commented on that bug over two years ago =) Don't use cabal-install to install packages. Stick to portage and you'll be fine.
Re: [gentoo-user] Firefox depends on rust??
On Thu, Jun 22, 2017 at 1:31 PM, Michael Orlitzkywrote: > On 06/22/2017 10:41 AM, R0b0t1 wrote: >> >> This is kind of troubling because much like Cabal it seems like the >> Rust package management system is insecure. Does the Firefox build >> process make use of it? >> > > It would be against our ebuild policy if it does so. The sources for a > package should be listed in SRC_URI and are downloaded and verified by > your Gentoo package manager. After that, network access is forbidden. > You might be interested in this bug I submitted: https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of packages in dev-haskell my use of GHC and Cabal showed me it was impossible to prevent Cabal's maintenance scripts from running; those scripts download and execute unsigned code. This seems to imply to me that the entire language needs to be masked or removed from portage until security is added upstream. My personal take on both Rust and Haskell is I don't want to install either of them on my main system even just to experiment with them because they are so insecure. If someone can comment on the security of Rust specifically that would be helpful.
Re: [gentoo-user] Firefox depends on rust??
On 06/22/2017 10:41 AM, R0b0t1 wrote: > > This is kind of troubling because much like Cabal it seems like the > Rust package management system is insecure. Does the Firefox build > process make use of it? > It would be against our ebuild policy if it does so. The sources for a package should be listed in SRC_URI and are downloaded and verified by your Gentoo package manager. After that, network access is forbidden.
Re: [gentoo-user] Firefox depends on rust??
On Thu, Jun 22, 2017 at 11:30 AM, Nils Freydankwrote: > Am Donnerstag, 22. Juni 2017, 16:41:54 CEST schrieb R0b0t1: >> [other quote] >> This is kind of troubling because much like Cabal it seems like the >> Rust package management system is insecure. Does the Firefox build >> process make use of it? > > Could you please specify what in your eyes is insecure in rust’s pm? > -- > GPG fingerprint: '00EF D31F 1B60 D5DB ADB8 31C1 C0EC E696 0E54 475B' > Nils Freydank I spent the most time looking at Cabal (Haskell's package manager) and so as far as code-related specifics go I have the best references in relation to it. I admit Rust may be different and that I haven't had a great deal of time to look at it, but I have seen this pattern in a few language-specific package managers to date. The gist of it is that the package managers are typically designed to download and run unsigned code as root. Releases are not signed and code may be fetched over plain HTTP. This is something even Windows doesn't let you do by default now. My research on Rust's crate system reached a point a while ago where I think I need a developer to chime in on it.
Re: [gentoo-user] Firefox depends on rust??
Am Donnerstag, 22. Juni 2017, 16:41:54 CEST schrieb R0b0t1: > [other quote] > This is kind of troubling because much like Cabal it seems like the > Rust package management system is insecure. Does the Firefox build > process make use of it? Could you please specify what in your eyes is insecure in rust’s pm? -- GPG fingerprint: '00EF D31F 1B60 D5DB ADB8 31C1 C0EC E696 0E54 475B' Nils Freydank signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Firefox depends on rust??
On Thu, Jun 22, 2017 at 2:13 AM, Danny YUEwrote: > Hi guys, > > I just found during upgrading my system that Firefox 54.0 depends on > dev-lang/rust and cannot be disabled?! > > It really takes a long time to compile rust, and I do not want to add > such a burden to my system compilation time. > > Does anyone knows why? Any idea? > > Thanks. > > Danny > This is kind of troubling because much like Cabal it seems like the Rust package management system is insecure. Does the Firefox build process make use of it?
Re: [gentoo-user] Firefox depends on rust??
Am Donnerstag, 22. Juni 2017, 13:33:33 CEST schrieb Vadim A. Misbakh-Soloviov: > > >=dev-lang/rust-1.15.1 to >=dev-lang/rust-1.15.1-bin. > > ... to >=dev-lang/rust-bin-1.15.1 > > // fixed ;) /* Thanks! */ err... thanks! =-D -- GPG fingerprint: '00EF D31F 1B60 D5DB ADB8 31C1 C0EC E696 0E54 475B' Nils Freydank signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Firefox depends on rust??
> >=dev-lang/rust-1.15.1 to >=dev-lang/rust-1.15.1-bin. ... to >=dev-lang/rust-bin-1.15.1 // fixed ;) signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Firefox depends on rust??
> I just installed firefox-bin and did not feel any difference. > > I will try to compile firefox just for curiosity. Well. Only flags that can give you any difference is bindist (logos and so on), pgo (hard-way optimization), custom-*, and system-* ones. So, taking default "fx-bin" vs "fx" doesn't give you much difference. Although, I myself distrust any "*-bin" packages, and I'd never run them outside of `firejail` with blacklisted access to anywhere on the filesystem. Although, I running even built-from-source firefox under firejail anyway (to prevent java, js, drm and other crap to do anything on my system. even in home dir. signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Firefox depends on rust??
Hi, Am Donnerstag, 22. Juni 2017, 09:13:24 CEST schrieb Danny YUE: > Hi guys, > I just found during upgrading my system that Firefox 54.0 depends on > dev-lang/rust and cannot be disabled?! as mentioned by others here FF 54 uses now some code written in Rust, so USE="-rust" could not build the browser. > It really takes a long time to compile rust, and I do not want to add > such a burden to my system compilation time. > > Does anyone knows why? Any idea? > > Thanks. > > Danny There is actually rust-bin in the tree - we just have to push our maintainers a bit to use it =) https://bugs.gentoo.org/show_bug.cgi?id=622136 I guess the best workaround for you would be copying the firefox ebuild from tree to a local overlay[1], bumping it to -r1 and renaming the dependency >=dev-lang/rust-1.15.1 to >=dev-lang/rust-1.15.1-bin. If the compilations works fine & and the compiled firefox runs well a small message plus the output of "emerge --info firefox rust" in the bugreport could be useful aswell. [1] https://wiki.gentoo.org/wiki/Ebuild_repository/Local_overlay Hope that helps while waiting for a proper fix. Greetings, Nils -- GPG fingerprint: '00EF D31F 1B60 D5DB ADB8 31C1 C0EC E696 0E54 475B' Nils Freydank (proxy maintainer) IRC: holgersson on freenode IRC servers XMPP: nils [at] holgersson [dot] xyz signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Firefox depends on rust??
On 2017-06-22 08:27, Alexey Eschenkowrote: > For me it was a *slightly* less quicker start. Which I think don't means > much when speaking about browser. > > > On 06/22/2017 11:09 AM, Danny YUE wrote: >> On 2017-06-22 07:43, Rasmus Thomsen wrote: >>> I'm using firefox-bin ( and libreoffice-bin ) on my laptop and I didn't >>> have problems with either of them >>> >>> Regards, >>> Rasmus >>> Original Message >>> On 22 Jun 2017, 09:34, Danny YUE wrote: >>> >>> On 2017-06-22 07:23, Vadim A. Misbakh-Soloviov wrote: > Does anyone knows why? Any idea? The reason is in that fact, that many of it's components are in rust. And since it was possible to dodge it until now, maintainers considered it is not a way since now. And, by the way, it is not that many time to build rust, as you think: > Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0 > merge time: 1 hour, 48 minutes. Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2", NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram). So, ~20 mins would be enough on non-limited portage and full power of that i7. >>> Thank you all for replying. >>> >>> So it can be around 30~40 minutes or so on my i5 machine. >>> Just it feels strange to install something large that I would probably >>> never use myself. >>> >>> I am considering using binary package instead of compiling it myself. >>> >>> But I am afraid that using firefox-bin package would cause some >>> dependency problem. I once tried libreoffice-bin, but found it really >>> painful to resolve dependency issues during system upgrading. >>> >>> Anyone tried firefox-bin smoothly? >>> >>> Danny >>> @mva.name> >> Well, I ran into the same problem with libreoffice-bin *last time*, as >> Alexey. >> >> It seems that version number of libreoffice-bin is always smaller than >> libreoffice. So dependency issue is always a problem with it. >> >> I noticed firefox-bin only has *usual* packages as dependencies... >> By the way what is the difference between compiled and binary firefox >> from a user's perspective? >> >> P.S. Someone told me that people in this list do not like top-posting. >> >> Thanks. >> Danny >> I agree. Anyway I just start my Emacs and Firefox and keep them open until system shutdown. I just installed firefox-bin and did not feel any difference. I will try to compile firefox just for curiosity. Thank you all. Danny
Re: [gentoo-user] Firefox depends on rust??
For me it was a *slightly* less quicker start. Which I think don't means much when speaking about browser. On 06/22/2017 11:09 AM, Danny YUE wrote: On 2017-06-22 07:43, Rasmus Thomsenwrote: I'm using firefox-bin ( and libreoffice-bin ) on my laptop and I didn't have problems with either of them Regards, Rasmus Original Message On 22 Jun 2017, 09:34, Danny YUE wrote: On 2017-06-22 07:23, Vadim A. Misbakh-Soloviov wrote: Does anyone knows why? Any idea? The reason is in that fact, that many of it's components are in rust. And since it was possible to dodge it until now, maintainers considered it is not a way since now. And, by the way, it is not that many time to build rust, as you think: Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0 merge time: 1 hour, 48 minutes. Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2", NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram). So, ~20 mins would be enough on non-limited portage and full power of that i7. Thank you all for replying. So it can be around 30~40 minutes or so on my i5 machine. Just it feels strange to install something large that I would probably never use myself. I am considering using binary package instead of compiling it myself. But I am afraid that using firefox-bin package would cause some dependency problem. I once tried libreoffice-bin, but found it really painful to resolve dependency issues during system upgrading. Anyone tried firefox-bin smoothly? Danny @mva.name> Well, I ran into the same problem with libreoffice-bin *last time*, as Alexey. It seems that version number of libreoffice-bin is always smaller than libreoffice. So dependency issue is always a problem with it. I noticed firefox-bin only has *usual* packages as dependencies... By the way what is the difference between compiled and binary firefox from a user's perspective? P.S. Someone told me that people in this list do not like top-posting. Thanks. Danny -- Kind regards, Alexey Eschenko https://skobk.in/
Re: [gentoo-user] Firefox depends on rust??
On 2017-06-22 07:43, Rasmus Thomsenwrote: > I'm using firefox-bin ( and libreoffice-bin ) on my laptop and I didn't have > problems with either of them > > Regards, > Rasmus > Original Message > On 22 Jun 2017, 09:34, Danny YUE wrote: > > On 2017-06-22 07:23, Vadim A. Misbakh-Soloviov wrote: >>> Does anyone knows why? Any idea? >> The reason is in that fact, that many of it's components are in rust. >> And since it was possible to dodge it until now, maintainers considered it is >> not a way since now. >> >> And, by the way, it is not that many time to build rust, as you think: >>> Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0 >>> merge time: 1 hour, 48 minutes. >> Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2", >> NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram). >> >> So, ~20 mins would be enough on non-limited portage and full power of that >> i7. > > Thank you all for replying. > > So it can be around 30~40 minutes or so on my i5 machine. > Just it feels strange to install something large that I would probably > never use myself. > > I am considering using binary package instead of compiling it myself. > > But I am afraid that using firefox-bin package would cause some > dependency problem. I once tried libreoffice-bin, but found it really > painful to resolve dependency issues during system upgrading. > > Anyone tried firefox-bin smoothly? > > Danny > @mva.name> Well, I ran into the same problem with libreoffice-bin *last time*, as Alexey. It seems that version number of libreoffice-bin is always smaller than libreoffice. So dependency issue is always a problem with it. I noticed firefox-bin only has *usual* packages as dependencies... By the way what is the difference between compiled and binary firefox from a user's perspective? P.S. Someone told me that people in this list do not like top-posting. Thanks. Danny
Re: [gentoo-user] Firefox depends on rust??
Last time I used libreoffice-bin and firefox-bin, first was really hard to satisfy dependencies (I was needed some packages to downgrade to old versions incompatible to other packages in my system). But with firefox-bin a had no such problem. But it was "last time". On 06/22/2017 10:34 AM, Danny YUE wrote: On 2017-06-22 07:23, Vadim A. Misbakh-Soloviovwrote: Does anyone knows why? Any idea? The reason is in that fact, that many of it's components are in rust. And since it was possible to dodge it until now, maintainers considered it is not a way since now. And, by the way, it is not that many time to build rust, as you think: Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0 merge time: 1 hour, 48 minutes. Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2", NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram). So, ~20 mins would be enough on non-limited portage and full power of that i7. Thank you all for replying. So it can be around 30~40 minutes or so on my i5 machine. Just it feels strange to install something large that I would probably never use myself. I am considering using binary package instead of compiling it myself. But I am afraid that using firefox-bin package would cause some dependency problem. I once tried libreoffice-bin, but found it really painful to resolve dependency issues during system upgrading. Anyone tried firefox-bin smoothly? Danny -- Kind regards, Alexey Eschenko https://skobk.in/
Re: [gentoo-user] Firefox depends on rust??
I'm using firefox-bin ( and libreoffice-bin ) on my laptop and I didn't have problems with either of them Regards, Rasmus Original Message On 22 Jun 2017, 09:34, Danny YUE wrote: On 2017-06-22 07:23, Vadim A. Misbakh-Soloviov wrote: >> Does anyone knows why? Any idea? > The reason is in that fact, that many of it's components are in rust. > And since it was possible to dodge it until now, maintainers considered it is > not a way since now. > > And, by the way, it is not that many time to build rust, as you think: >> Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0 >> merge time: 1 hour, 48 minutes. > Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2", > NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram). > > So, ~20 mins would be enough on non-limited portage and full power of that i7. Thank you all for replying. So it can be around 30~40 minutes or so on my i5 machine. Just it feels strange to install something large that I would probably never use myself. I am considering using binary package instead of compiling it myself. But I am afraid that using firefox-bin package would cause some dependency problem. I once tried libreoffice-bin, but found it really painful to resolve dependency issues during system upgrading. Anyone tried firefox-bin smoothly? Danny @mva.name>
Re: [gentoo-user] Firefox depends on rust??
On 2017-06-22 07:23, Vadim A. Misbakh-Soloviovwrote: >> Does anyone knows why? Any idea? > The reason is in that fact, that many of it's components are in rust. > And since it was possible to dodge it until now, maintainers considered it is > not a way since now. > > And, by the way, it is not that many time to build rust, as you think: >> Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0 >> merge time: 1 hour, 48 minutes. > Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2", > NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram). > > So, ~20 mins would be enough on non-limited portage and full power of that i7. Thank you all for replying. So it can be around 30~40 minutes or so on my i5 machine. Just it feels strange to install something large that I would probably never use myself. I am considering using binary package instead of compiling it myself. But I am afraid that using firefox-bin package would cause some dependency problem. I once tried libreoffice-bin, but found it really painful to resolve dependency issues during system upgrading. Anyone tried firefox-bin smoothly? Danny
Re: [gentoo-user] Firefox depends on rust??
> Does anyone knows why? Any idea? The reason is in that fact, that many of it's components are in rust. And since it was possible to dodge it until now, maintainers considered it is not a way since now. And, by the way, it is not that many time to build rust, as you think: > Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0 > merge time: 1 hour, 48 minutes. Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2", NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram). So, ~20 mins would be enough on non-limited portage and full power of that i7. signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Firefox depends on rust??
Hi, since firefox 54 rust isn't optional anymore, you could use firefox 52 esr/firefox-bin (?) if you don't want to compile rust. Regards, Rasmus Original Message On 22 Jun 2017, 09:13, Danny YUE wrote: Hi guys, I just found during upgrading my system that Firefox 54.0 depends on dev-lang/rust and cannot be disabled?! It really takes a long time to compile rust, and I do not want to add such a burden to my system compilation time. Does anyone knows why? Any idea? Thanks. Danny
[gentoo-user] Firefox depends on rust??
Hi guys, I just found during upgrading my system that Firefox 54.0 depends on dev-lang/rust and cannot be disabled?! It really takes a long time to compile rust, and I do not want to add such a burden to my system compilation time. Does anyone knows why? Any idea? Thanks. Danny