From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0E32A158042 for ; Tue, 12 Nov 2024 14:08:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C8ABBE080E; Tue, 12 Nov 2024 14:08:43 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 81CFAE07EE for ; Tue, 12 Nov 2024 14:08:43 +0000 (UTC) Message-ID: <3b88c341-d8b0-4363-944b-8e32697faeb9@gentoo.org> Date: Tue, 12 Nov 2024 09:08:39 -0500 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [gentoo-dev] [RFC] Reinstatement of zstd and lzma as Global USE flags? To: gentoo-dev@lists.gentoo.org References: <2755748.mvXUDI8C0e@sun> Content-Language: en-US From: Eli Schwartz Autocrypt: addr=eschwartz@gentoo.org; keydata= xjMEZmeRNBYJKwYBBAHaRw8BAQdAYNZ7pUDWhx1i2f3p6L2ZLu4FcY18UoeGC04Gq/khqwfN I0VsaSBTY2h3YXJ0eiA8ZXNjaHdhcnR6QGdlbnRvby5vcmc+wpYEExYKAD4WIQTvUdMIsc4j CIi+DYTqQj6ToWND8QUCZoRL+gIbAwUJBKKGAAULCQgHAwUVCgkICwUWAgMBAAIeBQIXgAAK CRDqQj6ToWND8aB5AP9r4kB691nNtNwKkdRiOdl7/k6WYzokvHvDamXxRJ0I+gEAjZqR5V8y mfR3fy2Z+r2Joeqdt3CIv5IwPs64spBvigLOOARmZ5E0EgorBgEEAZdVAQUBAQdATT46Z06b 1X9xjXFCYFxmq/Tj3tSEKZInDWTpoHQp4l8DAQgHwn4EGBYKACYWIQTvUdMIsc4jCIi+DYTq Qj6ToWND8QUCZmeRNAIbDAUJBKKGAAAKCRDqQj6ToWND8a2RAP40KPfbfoiZAJW5boFmFJ3G TUBDJRh9CWHyaPqq2PN+0wD/R07oLzfnJUN209mzi9TuTuHjeZybysyqXSw4MAxkMAY= In-Reply-To: <2755748.mvXUDI8C0e@sun> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------1WpVel4QAelnRDLZNyQoZQVG" X-Archives-Salt: 88399109-6946-4066-b65f-3b37fc4277c8 X-Archives-Hash: d0eeca127a7322a6c53811ef2128d194 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------1WpVel4QAelnRDLZNyQoZQVG Content-Type: multipart/mixed; boundary="------------jq5N5UxJEX0lxg02FGBJQXx5"; protected-headers="v1" From: Eli Schwartz To: gentoo-dev@lists.gentoo.org Message-ID: <3b88c341-d8b0-4363-944b-8e32697faeb9@gentoo.org> Subject: Re: [gentoo-dev] [RFC] Reinstatement of zstd and lzma as Global USE flags? References: <2755748.mvXUDI8C0e@sun> In-Reply-To: <2755748.mvXUDI8C0e@sun> --------------jq5N5UxJEX0lxg02FGBJQXx5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/12/24 8:56 AM, Peter B=C3=B6hm wrote: > Hello everyone, >=20 > as far as I remember correctly, both were activated globally and were o= nly > removed as global settings due to the security vulnerability of zstd. T= his is > now history and I would like to ask if we should re-enable both globall= y? It actually happened in https://bugs.gentoo.org/928932 The rationale for dropping it from global USE was: > This default doesn't actually solve the stated problem, and setting > it in a high-level profile causes new ones for users who want it > disabled. The obvious solution to revert to the status quo is to set > USE=3D"-lzma", but that has the dangerous side-effect of overriding > IUSE defaults in packages where they are important. For example, sys- > apps/kmod uses +lzma to ensure that your kernel will boot if you > choose lzma compression for modules; helpful, because there's no > other way for the package manager to track that dependency. And the mailing list discussion involved was: https://public-inbox.gentoo.org/gentoo-dev/98d180b6db191830e9700d0f5b8742= 74a3fd4755.camel@gentoo.org/ Admittedly, some comments were made at the time that it was "interesting timing because of the xz backdoor" but the core point made by Michael is useful to note here: > What I am saying is that I want the freedom to not have things > pointlessly enabled on my systems, because similar problems (and worse)= > happen all day every day. The less exposure I have, the better. The > liblzma backdoor was timely because it will prevent most people from > telling me I'm being paranoid, but it could have been USE=3Danything on= > any other day. Moving the defaults out of the high-level profiles will > give control back to the user, hence my complaint about it. --=20 Eli Schwartz --------------jq5N5UxJEX0lxg02FGBJQXx5-- --------------1WpVel4QAelnRDLZNyQoZQVG Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQTnFNnmK0TPZHnXm3qEp9ErcA0vVwUCZzNhZwUDAAAAAAAKCRCEp9ErcA0vVzqf AQCpANeAA/YeJevBq15RgRe0pmCphDIDsquKdUKRU0wRQgD8CDgYLU8Zjbn+KxAsC5E43MOIAttT P/gHUMayTar6CgA= =1RAk -----END PGP SIGNATURE----- --------------1WpVel4QAelnRDLZNyQoZQVG--