1 |
On 10/19/2013 08:56 PM, Michael Orlitzky wrote: |
2 |
> On 10/19/2013 08:29 PM, Anthony G. Basile wrote: |
3 |
>> |
4 |
>> Can you check to see if the || die is required only on packages before |
5 |
>> EAPI = 5? Or is it on all EAPI versions? |
6 |
> |
7 |
> It's required anywhere you want the ebuild to die when pax-mark fails. |
8 |
> AFAIK, the EAPI >= 4 auto-die behavior only applies to the commands |
9 |
> listed in the PMS under "Ebuild-specific Commands". |
10 |
> |
11 |
> |
12 |
>> Having said that, I'm not sure we want the ebuild to fail just because |
13 |
>> pax-mark fails. People on vanilla profiles without xattr support will |
14 |
>> be annoyed. |
15 |
> |
16 |
> Can this be done in the profiles instead of the eclass? |
17 |
> |
18 |
> Right now, the eclass sets PAX_MARKINGS="PT" for everyone when the |
19 |
> variable is unset. On hardened, we probably want PAX_MARKINGS="PT" for |
20 |
> now, PAX_MARKINGS="PT XT" later, and PAX_MARKINGS="XT" eventually. |
21 |
> |
22 |
> Non-hardened users don't care about the markings[1], so it doesn't |
23 |
> matter to them whether or not pax-mark fails. But for hardened users, |
24 |
> the package will be broken, so the ebuild should die. |
25 |
> |
26 |
> What would happen it we changed the line, |
27 |
> |
28 |
> PAX_MARKINGS=${PAX_MARKINGS:="PT"} |
29 |
> |
30 |
> in the eclass, to, |
31 |
> |
32 |
> PAX_MARKINGS=${PAX_MARKINGS:="none"} |
33 |
> |
34 |
> and added, |
35 |
> |
36 |
> PAX_MARKINGS="PT" |
37 |
> |
38 |
> to the hardened make.defaults? |
39 |
> |
40 |
> |
41 |
> |
42 |
> [1] There may be exceptions to this rule, but if we remove the PT |
43 |
> default for non-hardened users, they can still set PAX_MARKINGS in |
44 |
> make.conf if they want the markings. |
45 |
> |
46 |
|
47 |
The profile idea is a good one, but I'm always worried about people who |
48 |
switch profiles. If we don't do the markings on *all* gentoo systems, |
49 |
then someone switching from vanilla to hardened may have to re-emerge |
50 |
lots of packages. Unlike PT_PAX which is guaranteed to be there for |
51 |
systems compiled on gentoo, XT_PAX markings are more fragile and depend |
52 |
on the filesystem being able to sustain them. |
53 |
|
54 |
|
55 |
|
56 |
-- |
57 |
Anthony G. Basile, Ph. D. |
58 |
Chair of Information Technology |
59 |
D'Youville College |
60 |
Buffalo, NY 14201 |
61 |
(716) 829-8197 |