| 1 |
On Monday 08 June 2009, Maciej Mrozowski wrote: |
| 2 |
... |
| 3 |
> While it usually doesn't do any particular harm (but I guess security |
| 4 |
> and prefix/alt team won't agree on this) - insanely enabling |
| 5 |
> everything by default is not the best idea in my opinion. |
| 6 |
|
| 7 |
The Security Team supports all use flag combinations, even those not |
| 8 |
enabled by default. Masked use flags are not supported. As far as |
| 9 |
proactively disabling certain codecs go, that certainly exploits of |
| 10 |
certain (disabled) codecs. However, if the user was tricked into |
| 11 |
downloading a file and will see that he cannot play it due to a missing |
| 12 |
codec, he might just enable that use flag and rety. |
| 13 |
The only way to be safe is to minimize the untrusted input to your |
| 14 |
application, keep it updated, and employ other means of hardening |
| 15 |
(privilege separation). |
| 16 |
|
| 17 |
> Of course we need an example. Let's have a look at latest stable |
| 18 |
> media- video/mplayer-1.0_rc2_p20090322 ebuild: |
| 19 |
... |
| 20 |
> Personally I'd really like to hear some explanation from maintainers |
| 21 |
> about the reasons mplayer needs all those dependencies or why they |
| 22 |
> are *really* recommended for every user of *any* profile (let me |
| 23 |
> remind this). |
| 24 |
|
| 25 |
You should see the list of referenced bug reports in the ChangeLog for |
| 26 |
an explanation: https://bugs.gentoo.org/show_bug.cgi?id=260588 |
| 27 |
|
| 28 |
As stated there, all internally supported codecs are enabled, and only |
| 29 |
very few default USE flags require external deps. |
| 30 |
|
| 31 |
> But thats's not the point - the point is, Gentoo probably needs some |
| 32 |
> policy to advise, when some newly added USE flags are appropriate to |
| 33 |
> be enabled by default. |
| 34 |
> |
| 35 |
> I suggest as follows: |
| 36 |
> - When newly added USE flag makes already provided feature optional - |
| 37 |
> needs to be enabled by default (this is required to make package |
| 38 |
> feature set somewhat invariant after update) |
| 39 |
> - When newly added USE flag adds new feature that is considered very |
| 40 |
> common (that's tricky part and decision should be always made by |
| 41 |
> herd, not individual developer) *but* *does* *not* *pull* *any* |
| 42 |
> *dependencies* - enable by default - in any other case *do* *not* |
| 43 |
> *enable* by default - (why? because "I use it so I'll enable it by |
| 44 |
> default" is not enough of an explanation) |
| 45 |
> |
| 46 |
> What's the opinion on that? I guess we need some policy or at least |
| 47 |
> some suggestion mentioned in devmanual - really.. |
| 48 |
|
| 49 |
I am in favor of applying common sense (hah!). An application (and an |
| 50 |
OS, in general) in the default config should run the common use cases, |
| 51 |
and some more. It's just as easy to remove a use flag as it is to |
| 52 |
enable it. |
| 53 |
And personally, I hate having to enable USE=png on all my desktop |
| 54 |
machines so I can use a desktop background. Just as much as I hate |
| 55 |
downloading some video and realizing I forgot to add USE=schroedinger |
| 56 |
for mplayer, and then wait for a recompile before the fun. |
| 57 |
|
| 58 |
|
| 59 |
Robert |
Archives