[gentoo-dev] Re: Things one could be upset about - gentoo-dev

From:	Duncan <1i5t5.duncan@×××.net>
To:	gentoo-dev@l.g.o
Subject:	[gentoo-dev] Re: Things one could be upset about
Date:	Mon, 26 Jan 2015 13:22:18
Message-Id:	`pan$7e490$6780a868$d6987b63$8bd75308@cox.net`
In Reply to:	Re: [gentoo-dev] Re: Things one could be upset about by "Róbert Čerňanský"

1

Róbert Čerňanský posted on Sun, 25 Jan 2015 14:27:50 +0100 as excerpted:

2

3

> On Sun, 25 Jan 2015 04:29:43 +0000 (UTC)

4

> Duncan <1i5t5.duncan@×××.net> wrote:

5

>> [...]

6

>

7

> More frequent updates is most likely the reason that you do not have to

8

> edit use flags every time.

9

10

With the information below, seems like it.

11

12

> I update every 2-4 months (only GLSAs in between) therefore my

13

> experience is that I have to edit it every time (not for GLSAs of

14

> course).

15

16

I'd worry about that.

17

18

Frankly, I think the GLSAs are often too slow to come out, but I'm 

19

honestly not sure what could practically be done to fix it.  The problem 

20

(as I understand/see it) is that by policy the GLSAs don't get released 

21

until all security-handled archs have stable-keyworded the fixed package-

22

version, and some of those security-supported archs are underpowered and/

23

or undermanned and simply take longer than I'd consider ideal to do that 

24

keywording, even at security-priority.  But the only real and practical 

25

fix would be either GLSA's per-arch as they stabilize, and accepting that 

26

such a policy means the slow archs /will/ be sitting there exposed 

27

without a stabilized fix or GLSA, OR a GLSA-on-first-stable policy, and 

28

accept that archs behind the first to stable would be getting GLSAs 

29

suggesting fixed packages that might not actually be tested and 

30

stabilized for a month on some affected archs.

31

32

The result of the current policy is that if you're waiting for the GLSA, 

33

unless it's _extreme_ priority (heartbleed level), on at least amd64, 

34

you're very often sitting there exposed for well over a week, and too 

35

often a month, after the fix is out there, actually installed on /my/ 

36

systems.  And to me that's a game of Russian Roulette odds that I'm 

37

simply not willing to play.

38

39

If you're going to do security-updates only, at least follow a good 

40

notification service (LWN's daily security updates notices are a start, 

41

if you compare against what you have installed on gentoo), and grab the 

42

corresponding gentoo updates before the GLSAs.  At least then, if it's at 

43

least high enough priority to hit the news, you'll have it manually 

44

installed and won't be sitting there with your *** hanging out for weeks 

45

at a time!

46

47

>

48

>> 2) My global USE= starts with -*.  I got tired of worrying about what

49

> [...]

50

> More or less same here, except -* as the default.  I trust developers

51

> that they are choosing wisely in profile and ebuilds. ;-)

52

53

It's not that I don't trust 'em.  I'm running their ebuilds as root, 

54

after all. =:^)

55

56

It's more the certainty of knowing however it's set, I set it that way, 

57

and other than a flag name change or add/remove, it's going to stay that 

58

way unless I change it.  Also, figuring out where a tree default comes 

59

from isn't as easy or intuitive as it might be.  Both the profiles and 

60

the ebuilds (with eclasses) cascade, and while I agree with doing it that 

61

way (I was around before cascading profiles and when eclasses were much 

62

simpler than they are today, and believe me, this way's easier/better!), 

63

it doesn't make looking up things easier.

64

65

FWIW I negate my entire @system set and thus have an empty @system, with 

66

some otherwise @system packages in @world, and a few simply not installed 

67

as such, for similar reasons.  I want to control it myself.

68

69

Plus, after setting -* in my use file, all the -flag entries in the file 

70

could go away.  MUCH cleaner USE file now! =:^)  And it turned out there 

71

actually weren't that many changes after that, because I had negated 

72

profile or IUSE defaults enough already, with package.use where it 

73

deviated, that -* ended up being a rather large simplification of the use 

74

file itself, with few actual flag changes. =:^)

75

76

The one thing I /do/ need to be aware of, now, is that I /don't/ 

77

automatically see IUSE defaults in the various packages.  Thus, on new 

78

packages or major upgrades that significantly change USE flags, when I'm 

79

in doubt on a flag, I do occasionally actually check the ebuild, to see 

80

whether the maintainer considered it important enough to use-default it 

81

on.

82

83

>> When I set such an entry, I prefix a comment line with the date and an

84

>> explanation of WHY the entry needs to be there, different from my

85

>> normal default settings.  Sometimes, it's due to a bug, and a couple

86

>> versions later I can go thru and test with that entry commented, to see

87

>> if the bug is fixed, yet.  Other times it's due to a use-dep from some

88

>> other package I have installed.  Both qt and kde tend to have

89

>

90

> This where we get to the point.  If you set USE flag because of a bug or

91

> because of dependency it is not because you *want to* but because you

92

> *have to* (or portage *needs to*).  Therefore you need to add a comment

93

> WHY you did it.

94

>

95

> For example I have -doc in make.conf because I do *not want* docs

96

> globally.  But I have 'dev-lang/python doc' in package.use because I

97

> develop in Python and *want* the documentation for it.  Such entry does

98

> not need a comment, because I simply know what I want.

99

100

My comment for the latter is generally along the lines of "I want docs 

101

for this", or "docs here are useful".

102

103

Here, it's justifying the non-default with documentation.  It doesn't 

104

matter so much whether it's a non-default I want specifically, or one 

105

that was forced on me, there's a reason I set my USE flags as I do, and 

106

deviating from that needs justification, so I provide it... in a way that 

107

makes sense to me, at least.  I'd not expect those "docs are useful here" 

108

comments to make much sense to others, as it's begging the question (in 

109

the legal and original Latin circular reasoning sense).  But it's 

110

justification for the non-default, to me.

111

112

> Another example.  I have -python globally and have been using

113

> app-mobilephone/gammu.  Now I want to emerge app-mobilephone/wammu. But

114

> it needs +python for gammu, so I *have to* set 'app-mobilephone/gammu

115

> python' in package.use.  In this case I also add a comment which

116

> explains the reason because it is not what *I want* it is what *portage

117

> needs*.

118

>

119

>> Regardless of why it's there, however, because only non-default entries

120

>> are in package.use, they're the obvious exception.

121

>

122

> You somehow do not distinguish between those two types of exceptions

123

> explained in examples above.

124

125

Because to me, it's the exception that matters.  I document it, and when 

126

the reason goes away, so can the exception, but whether it's an exception 

127

forced on me by upstream or one I want, like docs for some particular 

128

package, it's an exception to a rule that's there for a reason, and that 

129

exception needs documentation.

130

131

132

But bottom line back on the original debate on every-update USE flag 

133

changes, yeah, if you're updating only every 2-4 months, then yes, I 

134

could see that being flag changes every update.  Update frequency is the 

135

(formerly) mystery reason for the difference, at least the main one!

136

137

--

138

Duncan - List replies preferred.   No HTML msgs.

139

"Every nonfree program has a lord, a master --

140

and if you use the program, he is your master."  Richard Stallman

Gentoo Archives: gentoo-dev

Replies

1	Róbert Čerňanský posted on Sun, 25 Jan 2015 14:27:50 +0100 as excerpted:
2
3	> On Sun, 25 Jan 2015 04:29:43 +0000 (UTC)
4	> Duncan <1i5t5.duncan@×××.net> wrote:
5	>> [...]
6	>
7	> More frequent updates is most likely the reason that you do not have to
8	> edit use flags every time.
9
10	With the information below, seems like it.
11
12	> I update every 2-4 months (only GLSAs in between) therefore my
13	> experience is that I have to edit it every time (not for GLSAs of
14	> course).
15
16	I'd worry about that.
17
18	Frankly, I think the GLSAs are often too slow to come out, but I'm
19	honestly not sure what could practically be done to fix it. The problem
20	(as I understand/see it) is that by policy the GLSAs don't get released
21	until all security-handled archs have stable-keyworded the fixed package-
22	version, and some of those security-supported archs are underpowered and/
23	or undermanned and simply take longer than I'd consider ideal to do that
24	keywording, even at security-priority. But the only real and practical
25	fix would be either GLSA's per-arch as they stabilize, and accepting that
26	such a policy means the slow archs /will/ be sitting there exposed
27	without a stabilized fix or GLSA, OR a GLSA-on-first-stable policy, and
28	accept that archs behind the first to stable would be getting GLSAs
29	suggesting fixed packages that might not actually be tested and
30	stabilized for a month on some affected archs.
31
32	The result of the current policy is that if you're waiting for the GLSA,
33	unless it's _extreme_ priority (heartbleed level), on at least amd64,
34	you're very often sitting there exposed for well over a week, and too
35	often a month, after the fix is out there, actually installed on /my/
36	systems. And to me that's a game of Russian Roulette odds that I'm
37	simply not willing to play.
38
39	If you're going to do security-updates only, at least follow a good
40	notification service (LWN's daily security updates notices are a start,
41	if you compare against what you have installed on gentoo), and grab the
42	corresponding gentoo updates before the GLSAs. At least then, if it's at
43	least high enough priority to hit the news, you'll have it manually
44	installed and won't be sitting there with your *** hanging out for weeks
45	at a time!
46
47	>
48	>> 2) My global USE= starts with -*. I got tired of worrying about what
49	> [...]
50	> More or less same here, except -* as the default. I trust developers
51	> that they are choosing wisely in profile and ebuilds. ;-)
52
53	It's not that I don't trust 'em. I'm running their ebuilds as root,
54	after all. =:^)
55
56	It's more the certainty of knowing however it's set, I set it that way,
57	and other than a flag name change or add/remove, it's going to stay that
58	way unless I change it. Also, figuring out where a tree default comes
59	from isn't as easy or intuitive as it might be. Both the profiles and
60	the ebuilds (with eclasses) cascade, and while I agree with doing it that
61	way (I was around before cascading profiles and when eclasses were much
62	simpler than they are today, and believe me, this way's easier/better!),
63	it doesn't make looking up things easier.
64
65	FWIW I negate my entire @system set and thus have an empty @system, with
66	some otherwise @system packages in @world, and a few simply not installed
67	as such, for similar reasons. I want to control it myself.
68
69	Plus, after setting -* in my use file, all the -flag entries in the file
70	could go away. MUCH cleaner USE file now! =:^) And it turned out there
71	actually weren't that many changes after that, because I had negated
72	profile or IUSE defaults enough already, with package.use where it
73	deviated, that -* ended up being a rather large simplification of the use
74	file itself, with few actual flag changes. =:^)
75
76	The one thing I /do/ need to be aware of, now, is that I /don't/
77	automatically see IUSE defaults in the various packages. Thus, on new
78	packages or major upgrades that significantly change USE flags, when I'm
79	in doubt on a flag, I do occasionally actually check the ebuild, to see
80	whether the maintainer considered it important enough to use-default it
81	on.
82
83	>> When I set such an entry, I prefix a comment line with the date and an
84	>> explanation of WHY the entry needs to be there, different from my
85	>> normal default settings. Sometimes, it's due to a bug, and a couple
86	>> versions later I can go thru and test with that entry commented, to see
87	>> if the bug is fixed, yet. Other times it's due to a use-dep from some
88	>> other package I have installed. Both qt and kde tend to have
89	>
90	> This where we get to the point. If you set USE flag because of a bug or
91	> because of dependency it is not because you want to but because you
92	> have to (or portage needs to). Therefore you need to add a comment
93	> WHY you did it.
94	>
95	> For example I have -doc in make.conf because I do not want docs
96	> globally. But I have 'dev-lang/python doc' in package.use because I
97	> develop in Python and want the documentation for it. Such entry does
98	> not need a comment, because I simply know what I want.
99
100	My comment for the latter is generally along the lines of "I want docs
101	for this", or "docs here are useful".
102
103	Here, it's justifying the non-default with documentation. It doesn't
104	matter so much whether it's a non-default I want specifically, or one
105	that was forced on me, there's a reason I set my USE flags as I do, and
106	deviating from that needs justification, so I provide it... in a way that
107	makes sense to me, at least. I'd not expect those "docs are useful here"
108	comments to make much sense to others, as it's begging the question (in
109	the legal and original Latin circular reasoning sense). But it's
110	justification for the non-default, to me.
111
112	> Another example. I have -python globally and have been using
113	> app-mobilephone/gammu. Now I want to emerge app-mobilephone/wammu. But
114	> it needs +python for gammu, so I have to set 'app-mobilephone/gammu
115	> python' in package.use. In this case I also add a comment which
116	> explains the reason because it is not what I want it is what *portage
117	> needs*.
118	>
119	>> Regardless of why it's there, however, because only non-default entries
120	>> are in package.use, they're the obvious exception.
121	>
122	> You somehow do not distinguish between those two types of exceptions
123	> explained in examples above.
124
125	Because to me, it's the exception that matters. I document it, and when
126	the reason goes away, so can the exception, but whether it's an exception
127	forced on me by upstream or one I want, like docs for some particular
128	package, it's an exception to a rule that's there for a reason, and that
129	exception needs documentation.
130
131
132	But bottom line back on the original debate on every-update USE flag
133	changes, yeah, if you're updating only every 2-4 months, then yes, I
134	could see that being flag changes every update. Update frequency is the
135	(formerly) mystery reason for the difference, at least the main one!
136
137	--
138	Duncan - List replies preferred. No HTML msgs.
139	"Every nonfree program has a lord, a master --
140	and if you use the program, he is your master." Richard Stallman