Re: [gentoo-user] Firefox depends on rust??

[R0b0t1]

On Thu, Jun 22, 2017 at 9:02 PM, Michael Orlitzky  wrote:
> On 06/22/2017 04:57 PM, R0b0t1 wrote:
>>>
>>> It would be against our ebuild policy if it does so. The sources for a
>>> package should be listed in SRC_URI and are downloaded and verified by
>>> your Gentoo package manager. After that, network access is forbidden.
>>>
>>
>> You might be interested in this bug I submitted:
>> https://bugs.gentoo.org/show_bug.cgi?id=537162.
>
> I commented on that bug over two years ago =)
>
> Don't use cabal-install to install packages. Stick to portage and you'll
> be fine.
>

I tried to reference that in my post. I tried to install the packages
that constitute the Haskell platform but cabal related utilities were
still firing off on their own.

Re: [gentoo-user] Firefox depends on rust??

[Danny YUE]

On 2017-06-22 11:31, Vadim A. Misbakh-Soloviov  wrote:
>> I just installed firefox-bin and did not feel any difference.
>> 
>> I will try to compile firefox just for curiosity.
>
> Well. Only flags that can give you any difference is bindist (logos and so 
> on), 
> pgo (hard-way optimization), custom-*, and system-* ones.
>
> So, taking default "fx-bin" vs "fx" doesn't give you much difference.
>
> Although, I myself distrust any "*-bin" packages, and I'd never run them 
> outside of `firejail` with blacklisted access to anywhere on the filesystem.
>
> Although, I running even built-from-source firefox under firejail anyway (to 
> prevent java, js, drm and other crap to do anything on my system. even in 
> home 
> dir.

Well, I finally compiled firefox and rust and used them.

Just...keep it the Gentoo way ;)

Re: [gentoo-user] Firefox depends on rust??

[Michael Orlitzky]

On 06/22/2017 04:57 PM, R0b0t1 wrote:
>>
>> It would be against our ebuild policy if it does so. The sources for a
>> package should be listed in SRC_URI and are downloaded and verified by
>> your Gentoo package manager. After that, network access is forbidden.
>>
> 
> You might be interested in this bug I submitted:
> https://bugs.gentoo.org/show_bug.cgi?id=537162. 

I commented on that bug over two years ago =)

Don't use cabal-install to install packages. Stick to portage and you'll
be fine.

Re: [gentoo-user] Firefox depends on rust??

[R0b0t1]

On Thu, Jun 22, 2017 at 1:31 PM, Michael Orlitzky  wrote:
> On 06/22/2017 10:41 AM, R0b0t1 wrote:
>>
>> This is kind of troubling because much like Cabal it seems like the
>> Rust package management system is insecure. Does the Firefox build
>> process make use of it?
>>
>
> It would be against our ebuild policy if it does so. The sources for a
> package should be listed in SRC_URI and are downloaded and verified by
> your Gentoo package manager. After that, network access is forbidden.
>

You might be interested in this bug I submitted:
https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of
packages in dev-haskell my use of GHC and Cabal showed me it was
impossible to prevent Cabal's maintenance scripts from running; those
scripts download and execute unsigned code. This seems to imply to me
that the entire language needs to be masked or removed from portage
until security is added upstream.

My personal take on both Rust and Haskell is I don't want to install
either of them on my main system even just to experiment with them
because they are so insecure. If someone can comment on the security
of Rust specifically that would be helpful.

Re: [gentoo-user] Firefox depends on rust??

[Michael Orlitzky]

On 06/22/2017 10:41 AM, R0b0t1 wrote:
> 
> This is kind of troubling because much like Cabal it seems like the
> Rust package management system is insecure. Does the Firefox build
> process make use of it?
> 

It would be against our ebuild policy if it does so. The sources for a
package should be listed in SRC_URI and are downloaded and verified by
your Gentoo package manager. After that, network access is forbidden.

Re: [gentoo-user] Firefox depends on rust??

[R0b0t1]

On Thu, Jun 22, 2017 at 11:30 AM, Nils Freydank  wrote:
> Am Donnerstag, 22. Juni 2017, 16:41:54 CEST schrieb R0b0t1:
>> [other quote]
>> This is kind of troubling because much like Cabal it seems like the
>> Rust package management system is insecure. Does the Firefox build
>> process make use of it?
>
> Could you please specify what in your eyes is insecure in rust’s pm?
> --
> GPG fingerprint: '00EF D31F 1B60 D5DB ADB8  31C1 C0EC E696 0E54 475B'
> Nils Freydank

I spent the most time looking at Cabal (Haskell's package manager) and
so as far as code-related specifics go I have the best references in
relation to it. I admit Rust may be different and that I haven't had a
great deal of time to look at it, but I have seen this pattern in a
few language-specific package managers to date.

The gist of it is that the package managers are typically designed to
download and run unsigned code as root. Releases are not signed and
code may be fetched over plain HTTP. This is something even Windows
doesn't let you do by default now.

My research on Rust's crate system reached a point a while ago where I
think I need a developer to chime in on it.

Re: [gentoo-user] Firefox depends on rust??

[Nils Freydank]

Am Donnerstag, 22. Juni 2017, 16:41:54 CEST schrieb R0b0t1:
> [other quote]
> This is kind of troubling because much like Cabal it seems like the
> Rust package management system is insecure. Does the Firefox build
> process make use of it?

Could you please specify what in your eyes is insecure in rust’s pm?
-- 
GPG fingerprint: '00EF D31F 1B60 D5DB ADB8  31C1 C0EC E696 0E54 475B'
Nils Freydank

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Firefox depends on rust??

[R0b0t1]

On Thu, Jun 22, 2017 at 2:13 AM, Danny YUE  wrote:
> Hi guys,
>
> I just found during upgrading my system that Firefox 54.0 depends on
> dev-lang/rust and cannot be disabled?!
>
> It really takes a long time to compile rust, and I do not want to add
> such a burden to my system compilation time.
>
> Does anyone knows why? Any idea?
>
> Thanks.
>
> Danny
>

This is kind of troubling because much like Cabal it seems like the
Rust package management system is insecure. Does the Firefox build
process make use of it?

Re: [gentoo-user] Firefox depends on rust??

[Nils Freydank]

Am Donnerstag, 22. Juni 2017, 13:33:33 CEST schrieb Vadim A. Misbakh-Soloviov:
> > >=dev-lang/rust-1.15.1 to >=dev-lang/rust-1.15.1-bin.
> 
> ... to >=dev-lang/rust-bin-1.15.1
> 
> // fixed ;) /* Thanks! */
err... thanks! =-D

-- 
GPG fingerprint: '00EF D31F 1B60 D5DB ADB8  31C1 C0EC E696 0E54 475B'
Nils Freydank

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Firefox depends on rust??

[Vadim A. Misbakh-Soloviov]

> >=dev-lang/rust-1.15.1 to >=dev-lang/rust-1.15.1-bin.
... to >=dev-lang/rust-bin-1.15.1

// fixed ;)


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Firefox depends on rust??

[Vadim A. Misbakh-Soloviov]

> I just installed firefox-bin and did not feel any difference.
> 
> I will try to compile firefox just for curiosity.

Well. Only flags that can give you any difference is bindist (logos and so on), 
pgo (hard-way optimization), custom-*, and system-* ones.

So, taking default "fx-bin" vs "fx" doesn't give you much difference.

Although, I myself distrust any "*-bin" packages, and I'd never run them 
outside of `firejail` with blacklisted access to anywhere on the filesystem.

Although, I running even built-from-source firefox under firejail anyway (to 
prevent java, js, drm and other crap to do anything on my system. even in home 
dir.

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Firefox depends on rust??

[Nils Freydank]

Hi,

Am Donnerstag, 22. Juni 2017, 09:13:24 CEST schrieb Danny YUE:
> Hi guys,
> I just found during upgrading my system that Firefox 54.0 depends on
> dev-lang/rust and cannot be disabled?!

as mentioned by others here FF 54 uses now some code written in Rust, so 
USE="-rust" could not build the browser.
> It really takes a long time to compile rust, and I do not want to add
> such a burden to my system compilation time.
> 
> Does anyone knows why? Any idea?
> 
> Thanks.
> 
> Danny

There is actually rust-bin in the tree - we just have to push our maintainers 
a bit to use it =)

https://bugs.gentoo.org/show_bug.cgi?id=622136

I guess the best workaround for you would be copying the firefox ebuild from 
tree to a local overlay[1], bumping it to -r1 and renaming the dependency 
>=dev-lang/rust-1.15.1 to >=dev-lang/rust-1.15.1-bin.

If the compilations works fine & and the compiled firefox runs well a small 
message plus the output of "emerge --info firefox rust" in the bugreport could 
be useful aswell.


[1] https://wiki.gentoo.org/wiki/Ebuild_repository/Local_overlay

Hope that helps while waiting for a proper fix.

Greetings,
Nils

-- 
GPG fingerprint: '00EF D31F 1B60 D5DB ADB8  31C1 C0EC E696 0E54 475B'
Nils Freydank (proxy maintainer)
IRC: holgersson on freenode IRC servers
XMPP: nils [at] holgersson [dot] xyz

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Firefox depends on rust??

[Danny YUE]

On 2017-06-22 08:27, Alexey Eschenko  wrote:
> For me it was a *slightly* less quicker start. Which I think don't means 
> much when speaking about browser.
>
>
> On 06/22/2017 11:09 AM, Danny YUE wrote:
>> On 2017-06-22 07:43, Rasmus Thomsen  wrote:
>>> I'm using firefox-bin ( and libreoffice-bin ) on my laptop and I didn't 
>>> have problems with either of them
>>>
>>> Regards,
>>> Rasmus
>>>  Original Message 
>>> On 22 Jun 2017, 09:34, Danny YUE wrote:
>>>
>>> On 2017-06-22 07:23, Vadim A. Misbakh-Soloviov  wrote:
> Does anyone knows why? Any idea?
 The reason is in that fact, that many of it's components are in rust.
 And since it was possible to dodge it until now, maintainers considered it 
 is
 not a way since now.

 And, by the way, it is not that many time to build rust, as you think:
> Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0
> merge time: 1 hour, 48 minutes.
 Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2",
 NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram).

 So, ~20 mins would be enough on non-limited portage and full power of that 
 i7.
>>> Thank you all for replying.
>>>
>>> So it can be around 30~40 minutes or so on my i5 machine.
>>> Just it feels strange to install something large that I would probably
>>> never use myself.
>>>
>>> I am considering using binary package instead of compiling it myself.
>>>
>>> But I am afraid that using firefox-bin package would cause some
>>> dependency problem. I once tried libreoffice-bin, but found it really
>>> painful to resolve dependency issues during system upgrading.
>>>
>>> Anyone tried firefox-bin smoothly?
>>>
>>> Danny
>>> @mva.name>
>> Well, I ran into the same problem with libreoffice-bin *last time*, as
>> Alexey.
>>
>> It seems that version number of libreoffice-bin is always smaller than
>> libreoffice. So dependency issue is always a problem with it.
>>
>> I noticed firefox-bin only has *usual* packages as dependencies...
>> By the way what is the difference between compiled and binary firefox
>> from a user's perspective?
>>
>> P.S. Someone told me that people in this list do not like top-posting.
>>
>> Thanks.
>> Danny
>>

I agree.

Anyway I just start my Emacs and Firefox and keep them open until system
shutdown.

I just installed firefox-bin and did not feel any difference.

I will try to compile firefox just for curiosity.

Thank you all.

Danny

Re: [gentoo-user] Firefox depends on rust??

[Alexey Eschenko]

For me it was a *slightly* less quicker start. Which I think don't means 
much when speaking about browser.



On 06/22/2017 11:09 AM, Danny YUE wrote:

On 2017-06-22 07:43, Rasmus Thomsen  wrote:

I'm using firefox-bin ( and libreoffice-bin ) on my laptop and I didn't have 
problems with either of them

Regards,
Rasmus
 Original Message 
On 22 Jun 2017, 09:34, Danny YUE wrote:

On 2017-06-22 07:23, Vadim A. Misbakh-Soloviov  wrote:

Does anyone knows why? Any idea?

The reason is in that fact, that many of it's components are in rust.
And since it was possible to dodge it until now, maintainers considered it is
not a way since now.

And, by the way, it is not that many time to build rust, as you think:

Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0
merge time: 1 hour, 48 minutes.

Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2",
NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram).

So, ~20 mins would be enough on non-limited portage and full power of that i7.

Thank you all for replying.

So it can be around 30~40 minutes or so on my i5 machine.
Just it feels strange to install something large that I would probably
never use myself.

I am considering using binary package instead of compiling it myself.

But I am afraid that using firefox-bin package would cause some
dependency problem. I once tried libreoffice-bin, but found it really
painful to resolve dependency issues during system upgrading.

Anyone tried firefox-bin smoothly?

Danny
@mva.name>

Well, I ran into the same problem with libreoffice-bin *last time*, as
Alexey.

It seems that version number of libreoffice-bin is always smaller than
libreoffice. So dependency issue is always a problem with it.

I noticed firefox-bin only has *usual* packages as dependencies...
By the way what is the difference between compiled and binary firefox
from a user's perspective?

P.S. Someone told me that people in this list do not like top-posting.

Thanks.
Danny



--
Kind regards,
Alexey Eschenko
https://skobk.in/

Re: [gentoo-user] Firefox depends on rust??

[Danny YUE]

On 2017-06-22 07:43, Rasmus Thomsen  wrote:
> I'm using firefox-bin ( and libreoffice-bin ) on my laptop and I didn't have 
> problems with either of them
>
> Regards,
> Rasmus
>  Original Message 
> On 22 Jun 2017, 09:34, Danny YUE wrote:
>
> On 2017-06-22 07:23, Vadim A. Misbakh-Soloviov  wrote:
>>> Does anyone knows why? Any idea?
>> The reason is in that fact, that many of it's components are in rust.
>> And since it was possible to dodge it until now, maintainers considered it is
>> not a way since now.
>>
>> And, by the way, it is not that many time to build rust, as you think:
>>> Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0
>>> merge time: 1 hour, 48 minutes.
>> Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2",
>> NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram).
>>
>> So, ~20 mins would be enough on non-limited portage and full power of that 
>> i7.
>
> Thank you all for replying.
>
> So it can be around 30~40 minutes or so on my i5 machine.
> Just it feels strange to install something large that I would probably
> never use myself.
>
> I am considering using binary package instead of compiling it myself.
>
> But I am afraid that using firefox-bin package would cause some
> dependency problem. I once tried libreoffice-bin, but found it really
> painful to resolve dependency issues during system upgrading.
>
> Anyone tried firefox-bin smoothly?
>
> Danny
> @mva.name>

Well, I ran into the same problem with libreoffice-bin *last time*, as
Alexey.

It seems that version number of libreoffice-bin is always smaller than
libreoffice. So dependency issue is always a problem with it.

I noticed firefox-bin only has *usual* packages as dependencies...
By the way what is the difference between compiled and binary firefox
from a user's perspective?

P.S. Someone told me that people in this list do not like top-posting.

Thanks.
Danny

Re: [gentoo-user] Firefox depends on rust??

[Alexey Eschenko]

Last time I used libreoffice-bin and firefox-bin, first was really hard 
to satisfy dependencies (I was needed some packages to downgrade to old 
versions incompatible to other packages in my system). But with 
firefox-bin a had no such problem.


But it was "last time".


On 06/22/2017 10:34 AM, Danny YUE wrote:

On 2017-06-22 07:23, Vadim A. Misbakh-Soloviov  wrote:

Does anyone knows why? Any idea?

The reason is in that fact, that many of it's components are in rust.
And since it was possible to dodge it until now, maintainers considered it is
not a way since now.

And, by the way, it is not that many time to build rust, as you think:

 Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0
   merge time: 1 hour, 48 minutes.

Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2",
NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram).

So, ~20 mins would be enough on non-limited portage and full power of that i7.

Thank you all for replying.

So it can be around 30~40 minutes or so on my i5 machine.
Just it feels strange to install something large that I would probably
never use myself.

I am considering using binary package instead of compiling it myself.

But I am afraid that using firefox-bin package would cause some
dependency problem. I once tried libreoffice-bin, but found it really
painful to resolve dependency issues during system upgrading.

Anyone tried firefox-bin smoothly?

Danny



--
Kind regards,
Alexey Eschenko
https://skobk.in/

Re: [gentoo-user] Firefox depends on rust??

[Rasmus Thomsen]

I'm using firefox-bin ( and libreoffice-bin ) on my laptop and I didn't have 
problems with either of them

Regards,
Rasmus
 Original Message 
On 22 Jun 2017, 09:34, Danny YUE wrote:

On 2017-06-22 07:23, Vadim A. Misbakh-Soloviov  wrote:
>> Does anyone knows why? Any idea?
> The reason is in that fact, that many of it's components are in rust.
> And since it was possible to dodge it until now, maintainers considered it is
> not a way since now.
>
> And, by the way, it is not that many time to build rust, as you think:
>> Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0
>> merge time: 1 hour, 48 minutes.
> Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2",
> NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram).
>
> So, ~20 mins would be enough on non-limited portage and full power of that i7.

Thank you all for replying.

So it can be around 30~40 minutes or so on my i5 machine.
Just it feels strange to install something large that I would probably
never use myself.

I am considering using binary package instead of compiling it myself.

But I am afraid that using firefox-bin package would cause some
dependency problem. I once tried libreoffice-bin, but found it really
painful to resolve dependency issues during system upgrading.

Anyone tried firefox-bin smoothly?

Danny
@mva.name>

Re: [gentoo-user] Firefox depends on rust??

[Danny YUE]

On 2017-06-22 07:23, Vadim A. Misbakh-Soloviov  wrote:
>> Does anyone knows why? Any idea?
> The reason is in that fact, that many of it's components are in rust.
> And since it was possible to dodge it until now, maintainers considered it is
> not a way since now.
>
> And, by the way, it is not that many time to build rust, as you think:
>> Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0
>>   merge time: 1 hour, 48 minutes.
> Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2",
> NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram).
>
> So, ~20 mins would be enough on non-limited portage and full power of that i7.

Thank you all for replying.

So it can be around 30~40 minutes or so on my i5 machine.
Just it feels strange to install something large that I would probably
never use myself.

I am considering using binary package instead of compiling it myself.

But I am afraid that using firefox-bin package would cause some
dependency problem. I once tried libreoffice-bin, but found it really
painful to resolve dependency issues during system upgrading.

Anyone tried firefox-bin smoothly?

Danny

Re: [gentoo-user] Firefox depends on rust??

[Vadim A. Misbakh-Soloviov]

> Does anyone knows why? Any idea?
The reason is in that fact, that many of it's components are in rust.
And since it was possible to dodge it until now, maintainers considered it is 
not a way since now.

And, by the way, it is not that many time to build rust, as you think:
> Thu Jun 22 12:34:00 2017 >>> dev-lang/rust-1.16.0
>   merge time: 1 hour, 48 minutes.
Than was on 1.9GHz with hardly limited portage (MAKEOPTS="-j5 -l2", 
NICENESS=18, ionice -c3, and cgroupped on cpu shares and ram).

So, ~20 mins would be enough on non-limited portage and full power of that i7.

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Firefox depends on rust??

[Rasmus Thomsen]

Hi,

since firefox 54 rust isn't optional anymore, you could use firefox 52 
esr/firefox-bin (?) if you don't want to compile rust.

Regards,
Rasmus

 Original Message 
On 22 Jun 2017, 09:13, Danny YUE wrote:
Hi guys,

I just found during upgrading my system that Firefox 54.0 depends on
dev-lang/rust and cannot be disabled?!

It really takes a long time to compile rust, and I do not want to add
such a burden to my system compilation time.

Does anyone knows why? Any idea?

Thanks.

Danny

[gentoo-user] Firefox depends on rust??

[Danny YUE]

Hi guys,

I just found during upgrading my system that Firefox 54.0 depends on
dev-lang/rust and cannot be disabled?!

It really takes a long time to compile rust, and I do not want to add
such a burden to my system compilation time.

Does anyone knows why? Any idea?

Thanks.

Danny